Ausgehende Firewall aktiviert, kann nun getestet werden.

git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@616 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8

diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl
index 4d8ee425de8c5cfa0cb9411b983ac447ac661056..522f281d960d98a867f118f1a7859c804d659034 100644 (file)
--- a/config/outgoingfw/outgoingfw.pl
+++ b/config/outgoingfw/outgoingfw.pl
@@ -76,7 +76,7 @@ close FILE;
 if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
        $outfwsettings{'STATE'} = "ALLOW";
        $POLICY = "DROP";
-       $DO = "RETURN";
+       $DO = "ACCEPT";
 } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
        $outfwsettings{'STATE'} = "DENY";
        $POLICY = "ACCEPT";
@@ -93,9 +93,9 @@ if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
 }
 
 if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
-       $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN";
+       $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT";
        if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
-               $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN";
+               $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT";
        if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
 }
 
@@ -152,21 +152,22 @@ foreach $configentry (sort @configs)
                                $MAC = "$configline[6]";
                                $CMD = "$CMD -m mac --mac-source $MAC";
                        }
-       
+                       
                        $CMD = "$CMD -o $netsettings{'RED_DEV'}";
+
+                       if ($configline[9] eq "aktiv") {
+                               if ($DEBUG) {
+                                       print "$CMD -m state --state NEW -m limit --limit 10/minute -j LOG --log-prefix 'OUTGOINGFW '\n";
+                               } else {
+                                       system("$CMD -m state --state NEW -m limit --limit 10/minute -j LOG --log-prefix 'OUTGOINGFW '");
+                               }
+                       }
+                       
                        if ($DEBUG) {
                                print "$CMD -j $DO\n";
                        } else {
                                system("$CMD -j $DO");
                        }
-                       
-                       if ($configline[9] eq "log") {
-                               if ($DEBUG) {
-                                       print "$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '\n";
-                               } else {
-                                       system("$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '");
-                               }
-                       }
     }
        }
 }
@@ -187,7 +188,7 @@ foreach $p2pentry (sort @p2ps)
                        $P2PSTRING = "$P2PSTRING --$p2pline[1]";
                }
        } else {
-               $DO = "RETURN";
+               $DO = "ACCEPT";
                if ("$p2pline[2]" eq "on") {
                        $P2PSTRING = "$P2PSTRING --$p2pline[1]";
                }
@@ -202,7 +203,7 @@ if ($P2PSTRING) {
 }
 
 if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
-       $CMD = "/sbin/iptables -A OUTGOINGFW -j DROP";
+       $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -j DROP";
        if ($DEBUG) {
                print "$CMD\n";
        } else {

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index aca835736228e053f91c72bbc572c4e6dcedfcb5..f32f7a7e84d57333476b84f88c3f785e349cd6e5 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -139,6 +139,8 @@ case "$1" in
        /sbin/iptables -A FORWARD -j CUSTOMFORWARD
        /sbin/iptables -N CUSTOMOUTPUT
        /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
+       /sbin/iptables -N OUTGOINGFW
+       /sbin/iptables -A OUTPUT -j OUTGOINGFW
        /sbin/iptables -t nat -N CUSTOMPREROUTING
        /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
        /sbin/iptables -t nat -N CUSTOMPOSTROUTING
@@ -159,6 +161,9 @@ case "$1" in
        /sbin/iptables -A INPUT -j OPENSSLVIRTUAL
        /sbin/iptables -A FORWARD -j IPSECVIRTUAL
        /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL
+       
+       # Outgoing Firewall
+       /sbin/iptables -A FORWARD -j OUTGOINGFW
 
        # localhost and ethernet.
        /sbin/iptables -A INPUT   -i lo          -m state --state NEW -j ACCEPT

diff --git a/src/initscripts/init.d/net/red/update b/src/initscripts/init.d/net/red/update
index 4f2f379defe5f0cbaf04533fefd73abcbdf68a29..7c06c3df149a8f0ac332244566e9ac8d3b4e909b 100644 (file)
--- a/src/initscripts/init.d/net/red/update
+++ b/src/initscripts/init.d/net/red/update
@@ -103,6 +103,7 @@ if [ -e "/var/ipfire/red/active" ]; then
        [ "$IFACE" != "" ] && ifconfig $IFACE -multicast
        /etc/rc.d/init.d/firewall reload
        /usr/local/bin/setfilters
+       /usr/local/bin/outgoingfwctrl
        /usr/local/bin/restartsnort red
        /usr/local/bin/qosctrl start
        /usr/local/bin/setportfw

diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl
index cd99c85973fb26e1acc8c63724815d98f78a04f9..caf10c0bd43e8ae55f17a8b36a0fe4c5b48a0053 100644 (file)
--- a/src/pakfire/lib/functions.pl
+++ b/src/pakfire/lib/functions.pl
@@ -478,7 +478,7 @@ sub senduuid {
        }
        logger("Sending my uuid: $Conf::uuid");
        fetchfile("cgi-bin/counter?ver=$Conf::version&uuid=$Conf::uuid", "$Conf::mainserver");
-       system("rm -f $Conf::cachedir/counter.cgi* 2>/dev/null");
+       system("rm -f $Conf::cachedir/counter* 2>/dev/null");
 }
 
 1;