firewall: fix faulty masquerading packets

diff --git a/lfs/initscripts b/lfs/initscripts
index 02f97431a2318186c57dbed65374451cf17141f1..ab870dc77dfe98e5b5c571381f20d567dff2fa8d 100644 (file)
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -187,7 +187,6 @@ $(TARGET) :
                /etc/rc.d/init.d/networking/red.up/24-RS-qos
        ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid
        ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
-       ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall
 
        for i in green blue orange; do \
                ln -sf any /etc/rc.d/init.d/networking/$$i; \

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index f77bc02032bc37f36427ea2aab74ad4e92099be9..0d80e7cd6d9e4d5cc4c0e8d64b601a10345b9e42 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -277,10 +277,16 @@ iptables_init() {
        /usr/sbin/firewall-policy
 
        # Install firewall rules for the red interface.
-       iptables_red
+       iptables_red_up
+
+       # If red has not been brought up yet, we will
+       # add the blocking rules for MASQUERADE
+       if [ ! -e "/var/ipfire/red/active" ]; then
+               iptables_red_down
+       fi
 }
 
-iptables_red() {
+iptables_red_up() {
        iptables -F REDINPUT
        iptables -F REDFORWARD
        iptables -t nat -F REDNAT
@@ -358,6 +364,18 @@ iptables_red() {
        /usr/local/bin/firewallctrl
 }
 
+iptables_red_down() {
+       # Prohibit packets to reach the masquerading rule
+       # while the wan interface is down - this is required to
+       # circumvent udp related NAT issues
+       # http://forum.ipfire.org/index.php?topic=11127.0
+       iptables -F REDFORWARD
+       iptables -A REDFORWARD -o $IFACE -j DROP
+
+       # Reload all rules.
+       /usr/local/bin/firewallctrl
+}
+
 # See how we were called.
 case "$1" in
   start)
@@ -388,9 +406,9 @@ case "$1" in
                /etc/sysconfig/firewall.local start
        fi
        ;;
-  reload)
+  reload|up)
        boot_mesg "Reloading firewall"
-       iptables_red
+       iptables_red_up
        evaluate_retval
 
        # run local firewall configuration, if present
@@ -398,6 +416,11 @@ case "$1" in
                /etc/sysconfig/firewall.local reload
        fi
        ;;
+  down)
+       boot_mesg "Disabling firewall access to RED"
+       iptables_red_down
+       evaluate_retval
+       ;;
   restart)
        # run local firewall configuration, if present
        if [ -x /etc/sysconfig/firewall.local ]; then

diff --git a/src/initscripts/init.d/networking/red.down/20-firewall b/src/initscripts/init.d/networking/red.down/20-firewall
new file mode 100644 (file)
index 0000000..d21c97c
--- /dev/null
+++ b/src/initscripts/init.d/networking/red.down/20-firewall
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /etc/rc.d/init.d/firewall down

diff --git a/src/initscripts/init.d/networking/red.up/20-firewall b/src/initscripts/init.d/networking/red.up/20-firewall
new file mode 100644 (file)
index 0000000..ca52b4b
--- /dev/null
+++ b/src/initscripts/init.d/networking/red.up/20-firewall
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /etc/rc.d/init.d/firewall up