Forward Firewall: moved default rules from FORWARDFW to POLICYFWD
authorAlexander Marx <amarx@ipfire.org>
Wed, 3 Jul 2013 12:38:40 +0000 (14:38 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:15:31 +0000 (14:15 +0200)
config/forwardfw/firewall-policy
config/forwardfw/rules.pl

index 0a5cd14b0c9366938f57434daaa780b54627433d..459c1a554e09519fdba98fca3cbe792f69a871bf 100755 (executable)
@@ -30,6 +30,8 @@ else
        if [  "$BLUE_DEV" ] && [ "$IFACE" ]; then
                /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP 
        fi
        if [  "$BLUE_DEV" ] && [ "$IFACE" ]; then
                /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP 
        fi
+       /sbin/iptables -A POLICYFWD -s "$ORANGE_NETADDRESS"/"$ORANGE_NETMASK" -d "$BLUE_NETADDRESS"/"$BLUE_NETMASK" -j DROP
+       /sbin/iptables -A POLICYFWD -s "$ORANGE_NETADDRESS"/"$ORANGE_NETMASK" -d "$GREEN_NETADDRESS"/"$GREEN_NETMASK" -j DROP
        /sbin/iptables -A POLICYFWD -j ACCEPT 
        /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
 fi
        /sbin/iptables -A POLICYFWD -j ACCEPT 
        /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
 fi
index f13bb5f16c91c55c1650dbe99c7188fefe2a93d5..d62cca0d77dcb6f47a1d32206f3b5f0b54886a12 100755 (executable)
@@ -114,23 +114,6 @@ if($param eq 'flush'){
                        &p2pblock;
                        system ("/usr/sbin/firewall-policy"); 
                }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
                        &p2pblock;
                        system ("/usr/sbin/firewall-policy"); 
                }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
-                       $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
-                       $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
-                       if ($defaultNetworks{'BLUE_DEV'}){
-                               $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
-                               $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
-                               #set default rules for BLUE
-                               system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
-                       }
-                       if ($defaultNetworks{'ORANGE_DEV'}){
-                               $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
-                               $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
-                               #set default rules for DMZ
-                               system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
-                               if ($defaultNetworks{'BLUE_DEV'}){
-                                       system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
-                               }
-                       }
                        &p2pblock;
                        system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
                        system ("/usr/sbin/firewall-policy");
                        &p2pblock;
                        system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
                        system ("/usr/sbin/firewall-policy");