Merge remote-tracking branch 'ms/firewall-block-green' into next

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 96b9b2fe5aba650033a67c67c1b035599d3dd0e5..4ba1ace8cec12cee5aab07082e1c8d0cc107a053 100755 (executable)
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -57,6 +57,9 @@ HAVE_OPENVPN="true"
 
 # INPUT
 
+# Allow access from GREEN
+iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+
 # IPsec INPUT
 case "${HAVE_IPSEC},${POLICY}" in
        true,MODE1) ;;

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 83717811010da5f1f89c16aa8b7b6ed020ee1b89..7a18502bfa728743bc951fef3ccbce84389a57f4 100644 (file)
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -120,10 +120,10 @@ iptables_init() {
        iptables -N IPTVFORWARD
        iptables -A FORWARD -j IPTVFORWARD
 
-       # filtering from GUI
-       iptables -N GUIINPUT
-       iptables -A INPUT -j GUIINPUT
-       iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+       # Allow to ping the firewall.
+       iptables -N ICMPINPUT
+       iptables -A INPUT -j ICMPINPUT
+       iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
 
        # Accept everything on loopback
        iptables -N LOOPBACK
@@ -179,7 +179,10 @@ iptables_init() {
        iptables -t nat -A POSTROUTING -j IPSECNAT
 
        # localhost and ethernet.
-       iptables -A INPUT   -i $GREEN_DEV  -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+       # Always allow accessing the web GUI from GREEN.
+       iptables -N GUIINPUT
+       iptables -A INPUT -j GUIINPUT
+       iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
 
        # WIRELESS chains
        iptables -N WIRELESSINPUT