X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=src%2Finitscripts%2Finit.d%2Ffirewall;h=853f195cf909a94bb546d7655f17067c2aa57058;hp=f0d9c492adc9bff9844fc41bc6968d82532a92c4;hb=8e59a6022bf7cb225c3509be2964833cce0e630c;hpb=d22294fa7e70fa6eb907239ba00c2a0c7ae1863d

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index f0d9c492a..853f195cf 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -120,10 +120,10 @@ iptables_init() {
 	iptables -N IPTVFORWARD
 	iptables -A FORWARD -j IPTVFORWARD
 
-	# filtering from GUI
-	iptables -N GUIINPUT
-	iptables -A INPUT -j GUIINPUT
-	iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+	# Allow to ping the firewall.
+	iptables -N ICMPINPUT
+	iptables -A INPUT -j ICMPINPUT
+	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
 
 	# Accept everything on loopback
 	iptables -N LOOPBACK
@@ -143,6 +143,31 @@ iptables_init() {
 		iptables -A ${i} -j CONNTRACK
 	done
 
+	# Allow DHCP
+	iptables -N DHCPINPUT
+	iptables -A DHCPINPUT -p udp --sport 68 --dport 67 -j ACCEPT
+	iptables -A DHCPINPUT -p tcp --sport 68 --dport 67 -j ACCEPT
+
+	iptables -N DHCPOUTPUT
+	iptables -A DHCPOUTPUT -p udp --sport 67 --dport 68 -j ACCEPT
+	iptables -A DHCPOUTPUT -p tcp --sport 67 --dport 68 -j ACCEPT
+
+	# Allow DHCP on GREEN
+	iptables -N DHCPGREENINPUT
+	iptables -N DHCPGREENOUTPUT
+	if [ -n "${GREEN_DEV}" ]; then
+		iptables -A INPUT  -i "${GREEN_DEV}" -j DHCPGREENINPUT
+		iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT
+	fi
+
+	# allow DHCP on BLUE to be turned on/off
+	iptables -N DHCPBLUEINPUT
+	iptables -N DHCPBLUEOUTPUT
+	if [ -n "${BLUE_DEV}" ]; then
+		iptables -A INPUT  -i "${BLUE_DEV}" -j DHCPBLUEINPUT
+		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
+	fi
+
 	# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
 	iptables -N IPSECINPUT
 	iptables -N IPSECFORWARD
@@ -155,11 +180,7 @@ iptables_init() {
 
 	# localhost and ethernet.
 	iptables -A INPUT   -i $GREEN_DEV  -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
-	
-	# allow DHCP on BLUE to be turned on/off
-	iptables -N DHCPBLUEINPUT 
-	iptables -A INPUT -j DHCPBLUEINPUT
-	
+
 	# WIRELESS chains
 	iptables -N WIRELESSINPUT
 	iptables -A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT