X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=config%2Ffirewall%2Ffirewall-policy;h=4ba1ace8cec12cee5aab07082e1c8d0cc107a053;hp=b820a7f3ee9dd9ca7fce76521a1c63b56eb2b804;hb=c0e0848f999ed8944ae551047fdea32bfee88d03;hpb=824dc93601e03f14d6acaffe11fb578fe2667394

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index b820a7f3e..4ba1ace8c 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -52,10 +52,22 @@ case "${CONFIG_TYPE}" in
 		;;
 esac
 
+HAVE_IPSEC="true"
 HAVE_OPENVPN="true"
 
 # INPUT
 
+# Allow access from GREEN
+iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+
+# IPsec INPUT
+case "${HAVE_IPSEC},${POLICY}" in
+	true,MODE1) ;;
+	true,*)
+		iptables -A POLICYIN -m policy --pol ipsec --dir in -j ACCEPT
+		;;
+esac
+
 # OpenVPN INPUT
 # Allow direct access to the internal IP addresses of the firewall
 # from remote subnets if forward policy is allowed.
@@ -101,15 +113,34 @@ case "${POLICY}" in
 		;;
 
 	*)
+		# Access from GREEN is granted to everywhere
+		if [ "${IFACE}" = "${GREEN_DEV}" ]; then
+			# internet via green
+			# don't check source IP/NET if IFACE is GREEN
+			iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
+		else
+			iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+		fi
+
+		# Grant access for IPsec VPN connections
+		iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT
+
+		# Grant access for OpenVPN connections
+		iptables -A POLICYFWD -i tun+ -j ACCEPT
+
 		if [ -n "${IFACE}" ]; then
 			if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
-				iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
+				iptables -A POLICYFWD -i "${BLUE_DEV}" -s "${BLUE_NETADDRESS}/${BLUE_NETMASK}" -o "${IFACE}" -j ACCEPT
 			fi
+
 			if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
-				iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
+				iptables -A POLICYFWD -i "${ORANGE_DEV}" -s "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" -o "${IFACE}" -j ACCEPT
 			fi
 		fi
-		iptables -A POLICYFWD -j ACCEPT
+
+		if [ "${DROPFORWARD}" = "on" ]; then
+			iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+		fi
 		iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
 		;;
 esac