if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
$outfwsettings{'STATE'} = "ALLOW";
$POLICY = "DROP";
- $DO = "RETURN";
+ $DO = "ACCEPT";
} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
$outfwsettings{'STATE'} = "DENY";
$POLICY = "ACCEPT";
}
if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
- $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN";
+ $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT";
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
- $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN";
+ $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT";
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
}
$MAC = "$configline[6]";
$CMD = "$CMD -m mac --mac-source $MAC";
}
-
+
$CMD = "$CMD -o $netsettings{'RED_DEV'}";
+
+ if ($configline[9] eq "aktiv") {
+ if ($DEBUG) {
+ print "$CMD -m state --state NEW -m limit --limit 10/minute -j LOG --log-prefix 'OUTGOINGFW '\n";
+ } else {
+ system("$CMD -m state --state NEW -m limit --limit 10/minute -j LOG --log-prefix 'OUTGOINGFW '");
+ }
+ }
+
if ($DEBUG) {
print "$CMD -j $DO\n";
} else {
system("$CMD -j $DO");
}
-
- if ($configline[9] eq "log") {
- if ($DEBUG) {
- print "$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '\n";
- } else {
- system("$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '");
- }
- }
}
}
}
$P2PSTRING = "$P2PSTRING --$p2pline[1]";
}
} else {
- $DO = "RETURN";
+ $DO = "ACCEPT";
if ("$p2pline[2]" eq "on") {
$P2PSTRING = "$P2PSTRING --$p2pline[1]";
}
}
if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
- $CMD = "/sbin/iptables -A OUTGOINGFW -j DROP";
+ $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -j DROP";
if ($DEBUG) {
print "$CMD\n";
} else {
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -N CUSTOMOUTPUT
/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
+ /sbin/iptables -N OUTGOINGFW
+ /sbin/iptables -A OUTPUT -j OUTGOINGFW
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
/sbin/iptables -t nat -N CUSTOMPOSTROUTING
/sbin/iptables -A INPUT -j OPENSSLVIRTUAL
/sbin/iptables -A FORWARD -j IPSECVIRTUAL
/sbin/iptables -A FORWARD -j OPENSSLVIRTUAL
+
+ # Outgoing Firewall
+ /sbin/iptables -A FORWARD -j OUTGOINGFW
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
[ "$IFACE" != "" ] && ifconfig $IFACE -multicast
/etc/rc.d/init.d/firewall reload
/usr/local/bin/setfilters
+ /usr/local/bin/outgoingfwctrl
/usr/local/bin/restartsnort red
/usr/local/bin/qosctrl start
/usr/local/bin/setportfw