From c926c6375d11cca11b24dee3b538da8ae6aaa1f2 Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Sat, 5 Apr 2014 11:04:25 +0200
Subject: [PATCH] firewall: fix green only mode.

disable masquerade and green IP/NET check if internet is
connected via green.
---
 config/firewall/firewall-policy | 9 ++++++++-
 src/initscripts/init.d/firewall | 5 ++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 2176d6b9e5..16e98a5d4b 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -110,8 +110,15 @@ case "${POLICY}" in
 		;;
 
 	*)
+
 		# Access from GREEN is granted to everywhere
-		iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+		if [ "${IFACE}" = "${GREEN_DEV}" ]; then
+			# internet via green
+			# don't check source IP/NET if IFACE is GREEN
+			iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
+		else
+			iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+		fi
 
 		# Grant access for IPsec VPN connections
 		iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index a67af70564..246be37b9c 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -311,7 +311,10 @@ iptables_red() {
 
 		# Outgoing masquerading (don't masqerade IPSEC (mark 50))
 		iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
-		iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+
+		if [ "$IFACE" != "$GREEN_DEV" ]; then
+			iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+		fi
 
 	fi
 
-- 
2.39.2