firewall: Drop legacy rules for PPPoE/PPTP

These rules where created to permit any local traffic to the firewall
when using a PPP connection that utilised Ethernet as transport.

This is however nonsensical and a security issue for any other
connection methods that call the RED interface "red0" and use PPP (e.g.
QMI).

Since PPPoE packets do not flow through iptables, these rules can be
dropped safely. We do not know whether PPTP works at all these days.

Fixes: #13088 - firewall: INPUT accepts all packets when using QMI for dial-in
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tested-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index dfa08d58b6adb0d60aea8d31f94c1d58a193e1e0..50f2b3e029cfb833bfb4bff09ca783f0273b4af2 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -424,19 +424,6 @@ iptables_red_up() {
                fi
        fi
 
-       # PPPoE / PPTP Device
-       if [ "$IFACE" != "" ]; then
-               # PPPoE / PPTP
-               if [ "$DEVICE" != "" ]; then
-                       iptables -A REDINPUT -i $DEVICE -j ACCEPT
-               fi
-               if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then
-                       if [ "$RED_DEV" != "" ]; then
-                               iptables -A REDINPUT -i $RED_DEV -j ACCEPT
-                       fi
-               fi
-       fi
-
        # PPTP over DHCP
        if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then
                iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT