Forward Firewall: cleanup of initscript. Fixes double log entries when INPUT is set...

[people/teissler/ipfire-2.x.git] / src / initscripts / init.d / firewall

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 39e1dfd7b1fd981eb34658b91251495e3ad4cecf..7e3248147dc7e5bbcda0ba68a4af0e21cf2881c4 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -192,10 +192,6 @@ case "$1" in
        /sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
        /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
 
-       # Forward Firewall
-       /sbin/iptables -N FORWARDFW
-       /sbin/iptables -A FORWARD -j FORWARDFW
-
        # Input Firewall
        /sbin/iptables -N INPUTFW
        /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW
@@ -208,13 +204,7 @@ case "$1" in
        /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
        /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
        /sbin/iptables -A INPUT   -i $GREEN_DEV  -m state --state NEW -j ACCEPT ! -p icmp
-       #/sbin/iptables -A FORWARD -i $GREEN_DEV  -m state --state NEW -j ACCEPT
-
-       # If a host on orange tries to initiate a connection to IPFire's red IP and
-       # the connection gets DNATed back through a port forward to a server on orange
-       # we end up with orange -> orange traffic passing through IPFire
-       [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT
-
+       
        # allow DHCP on BLUE to be turned on/off
        /sbin/iptables -N DHCPBLUEINPUT 
        /sbin/iptables -A INPUT -j DHCPBLUEINPUT
@@ -225,6 +215,10 @@ case "$1" in
        /sbin/iptables -N WIRELESSFORWARD
        /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
        
+       # Forward Firewall
+       /sbin/iptables -N FORWARDFW
+       /sbin/iptables -A FORWARD -j FORWARDFW
+               
        # PORTFWACCESS chain, used for portforwarding
        /sbin/iptables -N PORTFWACCESS
        /sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
@@ -242,13 +236,7 @@ case "$1" in
        /sbin/iptables -t nat -A POSTROUTING -j REDNAT
 
        iptables_red
-       
-       # DMZ pinhole chain.  
-       # ORANGE to talk to GREEN / BLUE.
-       if [ "$ORANGE_DEV" != "" ]; then
-               /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW
-       fi
-       
+               
        # Custom prerouting chains (for transparent proxy and port forwarding)
        /sbin/iptables -t nat -N SQUID
        /sbin/iptables -t nat -A PREROUTING -j SQUID
@@ -279,17 +267,6 @@ case "$1" in
                /etc/sysconfig/firewall.local start
        fi
        
-       # last rule in input and forward chain is for logging.
-
-       if [ "$DROPINPUT" == "on" ]; then
-               /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
-       fi
-       /sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
-       #if [ "$DROPFORWARD" == "on" ]; then
-       #       /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
-       #fi
-       #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
-       
        #POLICY CHAIN
        /sbin/iptables -N POLICYIN
        /sbin/iptables -A INPUT -j POLICYIN