Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index bd1e40d35a101eea1ba5f5cb98333c118c949100..faf177ccef4631cf934637834a47ce1ce110e720 100755 (executable)
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -52,6 +52,8 @@ case "${CONFIG_TYPE}" in
                ;;
 esac
 
+HAVE_OPENVPN="true"
+
 # INPUT
 case "${FWPOLICY2}" in
        REJECT)
@@ -61,6 +63,16 @@ case "${FWPOLICY2}" in
                iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
                ;;
        *) # DROP
+               # OpenVPN
+               # Allow direct access to the internal IP addresses of the firewall
+               # from remote subnets if forward policy is allowed.
+               case "${HAVE_OPENVPN},${POLICY}" in
+                       true,MODE1) ;;
+                       true,*)
+                               iptables -A POLICYIN -i tun+ -j ACCEPT
+                               ;;
+               esac
+
                if [ "${DROPINPUT}" = "on" ]; then
                        iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
                fi

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 40ca8245f3ca4e57187cf8482294d730023a8ef0..845da1f889c7eddd11b184eab838e631afd0e1e4 100755 (executable)
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -112,7 +112,6 @@ if($param eq 'flush'){
                }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
                        &p2pblock;
                        system ("/usr/sbin/firewall-policy");
-                       system ("/etc/sysconfig/firewall.local reload");
                }
        }
 }

diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index ce8d0f3f15e536d8cb6e1d7d76f73908e433bfe3..7b75765b2cd51a0df87f14ac77ff4ca801540ab1 100644 (file)
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -2792,14 +2792,16 @@ END
                                                <font color="$Header::colourorange">$Lang::tr{'orange'}</font>
                                                ($Lang::tr{'fwdfw pol block'})
                                        </td>
+END
+                       }
+
+                       print <<END;
                                        <td align='center'>
                                                <font color="$Header::colourgreen">$Lang::tr{'green'}</font>
                                                ($Lang::tr{'fwdfw pol block'})
                                        </td>
+                               </tr>
 END
-                       }
-
-                       print"</tr>";
                }
 
                print <<END;

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 06a714a329046879d5eeb6c0fcd08418790692ed..dd678893738ff22b4ecba6ab886910ef01aeb598 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -106,9 +106,10 @@ iptables_init() {
 
        # Block OpenVPN transfer networks
        iptables -N OVPNBLOCK
-       for i in INPUT FORWARD; do
-               iptables -A ${i} -j OVPNBLOCK
-       done
+       iptables -A INPUT   -i tun+ -j OVPNBLOCK
+       iptables -A OUTPUT  -o tun+ -j OVPNBLOCK
+       iptables -A FORWARD -i tun+ -j OVPNBLOCK
+       iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
        # OpenVPN transfer network translation
        iptables -t nat -N OVPNNAT
@@ -196,8 +197,6 @@ iptables_init() {
        iptables -t nat -N REDNAT
        iptables -t nat -A POSTROUTING -j REDNAT
 
-       iptables_red
-
        # Custom prerouting chains (for transparent proxy)
        iptables -t nat -N SQUID
        iptables -t nat -A PREROUTING -j SQUID
@@ -226,10 +225,11 @@ iptables_init() {
        iptables -N POLICYOUT
        iptables -A OUTPUT -j POLICYOUT
 
+       # Initialize firewall policies.
        /usr/sbin/firewall-policy
 
-       # read new firewall
-       /usr/local/bin/firewallctrl
+       # Install firewall rules for the red interface.
+       iptables_red
 }
 
 iptables_red() {

diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
index 272db0faade2dc3abb79687ad1d077c7308b4175..462ce77cce0b99019a09cc8c3df75161b5e94924 100644 (file)
--- a/src/misc-progs/openvpnctrl.c
+++ b/src/misc-progs/openvpnctrl.c
@@ -365,6 +365,7 @@ ERROR:
 }
 
 void setFirewallRules(void) {
+       char command[STRING_SIZE];
        char protocol[STRING_SIZE] = "";
        char dport[STRING_SIZE] = "";
        char dovpnip[STRING_SIZE] = "";
@@ -405,11 +406,15 @@ void setFirewallRules(void) {
        if (!strcmp(enableorange, "on") && strlen(orangeif))
                addRule(OVPNINPUT, orangeif, protocol, dport);
 
+       /* Allow ICMP error messages to pass. */
+       snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -p icmp"
+               " -m conntrack --ctstate RELATED -j RETURN", OVPNBLOCK);
+       executeCommand(command);
+
        // read connection configuration
        connection *conn = getConnections();
 
        // set firewall rules for n2n connections
-       char command[STRING_SIZE];
        char *local_subnet_address = NULL;
        char *transfer_subnet_address = NULL;
        while (conn != NULL) {