X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=config%2Fforwardfw%2Frules.pl;h=9f23c54e0a5b0fc47472919b9d2d34726f5fdbea;hp=f13bb5f16c91c55c1650dbe99c7188fefe2a93d5;hb=653a71b9514dc8a88e7d2247d1d709245afe748c;hpb=e17121fee73ba9adcc2d102d0127695613b780e8

diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
index f13bb5f16..9f23c54e0 100755
--- a/config/forwardfw/rules.pl
+++ b/config/forwardfw/rules.pl
@@ -114,25 +114,8 @@ if($param eq 'flush'){
 			&p2pblock;
 			system ("/usr/sbin/firewall-policy"); 
 		}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
-			$defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
-			$green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
-			if ($defaultNetworks{'BLUE_DEV'}){
-				$defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
-				$blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
-				#set default rules for BLUE
-				system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
-			}
-			if ($defaultNetworks{'ORANGE_DEV'}){
-				$defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
-				$orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
-				#set default rules for DMZ
-				system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
-				if ($defaultNetworks{'BLUE_DEV'}){
-					system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
-				}
-			}
 			&p2pblock;
-			system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+			system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
 			system ("/usr/sbin/firewall-policy");
 			system ("/etc/sysconfig/firewall.local reload");
 		}
@@ -157,9 +140,6 @@ sub preparerules
 	if (! -z  "${General::swroot}/forward/outgoing"){
 		&buildrules(\%configoutgoingfw);
 	}
-	if (! -z  "${General::swroot}/forward/nat"){
-		&buildrules(\%confignatfw);
-	}
 }
 sub buildrules
 {
@@ -595,7 +575,7 @@ sub get_port
 						return "--dport $$hash{$key}[15] ";
 					 }else{
 						 $$hash{$key}[15] =~ s/\:/-/g;
-						return ":$$hash{$key}[15]";
+						 return ":$$hash{$key}[15]";
 					 }
 				}
 			}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
@@ -605,7 +585,7 @@ sub get_port
 			}
 		}elsif($$hash{$key}[14] eq 'cust_srv'){
 			if ($prot ne 'ICMP'){
-				if($$hash{$key}[31] eq 'dnat'){
+				if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
 					return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
 				}else{
 					return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);