&p2pblock;
system ("/usr/sbin/firewall-policy");
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
- $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
- $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
- if ($defaultNetworks{'BLUE_DEV'}){
- $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
- $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
- #set default rules for BLUE
- system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
- }
- if ($defaultNetworks{'ORANGE_DEV'}){
- $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
- $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
- #set default rules for DMZ
- system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
- if ($defaultNetworks{'BLUE_DEV'}){
- system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
- }
- }
&p2pblock;
- system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
system ("/usr/sbin/firewall-policy");
system ("/etc/sysconfig/firewall.local reload");
}
if (! -z "${General::swroot}/forward/outgoing"){
&buildrules(\%configoutgoingfw);
}
- if (! -z "${General::swroot}/forward/nat"){
- &buildrules(\%confignatfw);
- }
}
sub buildrules
{
return "--dport $$hash{$key}[15] ";
}else{
$$hash{$key}[15] =~ s/\:/-/g;
- return ":$$hash{$key}[15]";
+ return ":$$hash{$key}[15]";
}
}
}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
}
}elsif($$hash{$key}[14] eq 'cust_srv'){
if ($prot ne 'ICMP'){
- if($$hash{$key}[31] eq 'dnat'){
+ if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
}else{
return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);