# Flush all chains.
&flush();
- # Reload firewall rules.
- &preparerules();
+ # Prepare firewall rules.
+ if (! -z "${General::swroot}/firewall/input"){
+ &buildrules(\%configinputfw);
+ }
+ if (! -z "${General::swroot}/firewall/outgoing"){
+ &buildrules(\%configoutgoingfw);
+ }
+ if (! -z "${General::swroot}/firewall/config"){
+ &buildrules(\%configfwdfw);
+ }
# Load P2P block rules.
&p2pblock();
# Reload firewall policy.
run("/usr/sbin/firewall-policy");
+
+ #Reload firewall.local if present
+ if ( -f '/etc/sysconfig/firewall.local'){
+ run("/etc/sysconfig/firewall.local reload");
+ }
}
sub run {
run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX");
}
-sub preparerules {
- if (! -z "${General::swroot}/firewall/input"){
- &buildrules(\%configinputfw);
- }
- if (! -z "${General::swroot}/firewall/outgoing"){
- &buildrules(\%configoutgoingfw);
- }
- if (! -z "${General::swroot}/firewall/config"){
- &buildrules(\%configfwdfw);
- }
-}
-
sub buildrules {
my $hash = shift;
# Concurrent connection limit
my @ratelimit_options = ();
- if (($elements gt 34) && ($$hash{$key}[32] eq 'ON')) {
+ if (($elements ge 34) && ($$hash{$key}[32] eq 'ON')) {
my $conn_limit = $$hash{$key}[33];
if ($conn_limit ge 1) {
}
# Ratelimit
- if (($elements gt 37) && ($$hash{$key}[34] eq 'ON')) {
+ if (($elements ge 37) && ($$hash{$key}[34] eq 'ON')) {
my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]";
- if ($rate_limit) {
- push(@ratelimit_options, ("-m", "limit"));
- push(@ratelimit_options, ("--limit", $rate_limit));
- }
+ if ($rate_limit) {
+ push(@ratelimit_options, ("-m", "limit"));
+ push(@ratelimit_options, ("--limit", $rate_limit));
+ }
}
# Check which protocols are used in this rule and so that we can
push(@source_options, ("-s", $source));
}
- if ($source_intf) {
- push(@source_options, ("-i", $source_intf));
- }
-
# Prepare destination options.
my @destination_options = ();
if ($destination) {
push(@destination_options, ("-d", $destination));
}
- if ($destination_intf) {
- push(@destination_options, ("-o", $destination_intf));
- }
-
# Add time constraint options.
push(@options, @time_options);
}
}
+ # Add source and destination interface to the filter rules.
+ # These are supposed to help filtering forged packets that originate
+ # from BLUE with an IP address from GREEN for instance.
+ if ($source_intf) {
+ push(@source_options, ("-i", $source_intf));
+ }
+
+ if ($destination_intf) {
+ push(@destination_options, ("-o", $destination_intf));
+ }
+
push(@options, @source_options);
push(@options, @destination_options);
}
}
}
- #Reload firewall.local if present
- if ( -f '/etc/sysconfig/firewall.local'){
- run("/etc/sysconfig/firewall.local reload");
- }
}
# Formats the given timestamp into the iptables format which is "hh:mm" UTC.