firewall-policy: fix drop and logging on red0;
authorArne Fitzenreiter <arne_f@ipfire.org>
Sat, 29 Mar 2014 14:06:35 +0000 (15:06 +0100)
committerArne Fitzenreiter <arne_f@ipfire.org>
Sat, 29 Mar 2014 14:06:35 +0000 (15:06 +0100)
config/firewall/firewall-policy

index 2c583c5..6990fa9 100755 (executable)
@@ -112,11 +112,29 @@ case "${POLICY}" in
        *)
                if [ -n "${IFACE}" ]; then
                        if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
        *)
                if [ -n "${IFACE}" ]; then
                        if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
+                               if [ "${DROPFORWARD}" = "on" ]; then
+                                       iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+                               fi
                                iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
                        fi
                        if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
                                iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
                        fi
                        if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
+                               if [ "${DROPFORWARD}" = "on" ]; then
+                                       iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+                               fi
                                iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
                        fi
                                iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
                        fi
+
+                       if [ "${DROPFORWARD}" = "on" ]; then
+                               iptables -A POLICYFWD -i "${IFACE}" -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+                       fi
+                       iptables -A POLICYFWD -i "${IFACE}" -j DROP
+
+                       if [ "${IFACE}" != "${RED_DEV}" ]; then
+                               if [ "${DROPFORWARD}" = "on" ]; then
+                                       iptables -A POLICYFWD -i "${RED_DEV}" -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
+                               fi
+                               iptables -A POLICYFWD -i "${RED_DEV}" -j DROP
+                       fi
                fi
                iptables -A POLICYFWD -j ACCEPT
                iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
                fi
                iptables -A POLICYFWD -j ACCEPT
                iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP