my $configfwdfw = "${General::swroot}/forward/config";
my $configinput = "${General::swroot}/forward/input";
my $configoutgoing = "${General::swroot}/forward/outgoing";
-my $confignat = "${General::swroot}/forward/nat";
my $p2pfile = "${General::swroot}/forward/p2protocols";
my $configgrp = "${General::swroot}/fwhosts/customgroups";
my $netsettings = "${General::swroot}/ethernet/settings";
&General::readhasharray($configfwdfw, \%configfwdfw);
&General::readhasharray($configinput, \%configinputfw);
&General::readhasharray($configoutgoing, \%configoutgoingfw);
-&General::readhasharray($confignat, \%confignatfw);
&General::readhasharray($configgrp, \%customgrp);
&General::get_aliases(\%aliases);
&p2pblock;
system ("/usr/sbin/firewall-policy");
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
- $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
- $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
- if ($defaultNetworks{'BLUE_DEV'}){
- $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
- $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
- #set default rules for BLUE
- system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
- }
- if ($defaultNetworks{'ORANGE_DEV'}){
- $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
- $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
- #set default rules for DMZ
- system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
- if ($defaultNetworks{'BLUE_DEV'}){
- system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
- }
- }
&p2pblock;
- system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
system ("/usr/sbin/firewall-policy");
system ("/etc/sysconfig/firewall.local reload");
}
if (! -z "${General::swroot}/forward/outgoing"){
&buildrules(\%configoutgoingfw);
}
- if (! -z "${General::swroot}/forward/nat"){
- &buildrules(\%confignatfw);
- }
}
sub buildrules
{