From: Alexander Marx <amarx@ipfire.org>
Date: Thu, 21 Mar 2013 16:34:30 +0000 (+0100)
Subject: Forward Firewall: cleanup of initscript. Fixes double log entries when INPUT is set... 
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=218b3341b6fd9da564ee876c08d8bf2c1b0ec78d

Forward Firewall: cleanup of initscript. Fixes double log entries when INPUT is set to REJECT
---

diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
index 1f2af8cd9..3f4ad306b 100755
--- a/html/cgi-bin/forwardfw.cgi
+++ b/html/cgi-bin/forwardfw.cgi
@@ -77,7 +77,7 @@ my %aliases=();
 my %optionsfw=();
 my %ifaces=();
 
-my $VERSION='0.9.8.8';
+my $VERSION='0.9.8.9';
 my $color;
 my $confignet		= "${General::swroot}/fwhosts/customnetworks";
 my $confighost		= "${General::swroot}/fwhosts/customhosts";
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 18dea0ab8..7e3248147 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -204,13 +204,7 @@ case "$1" in
 	/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A INPUT   -i $GREEN_DEV  -m state --state NEW -j ACCEPT ! -p icmp
-	#/sbin/iptables -A FORWARD -i $GREEN_DEV  -m state --state NEW -j ACCEPT
-
-	# If a host on orange tries to initiate a connection to IPFire's red IP and
-	# the connection gets DNATed back through a port forward to a server on orange
-	# we end up with orange -> orange traffic passing through IPFire
-	[ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT
-
+	
 	# allow DHCP on BLUE to be turned on/off
 	/sbin/iptables -N DHCPBLUEINPUT 
 	/sbin/iptables -A INPUT -j DHCPBLUEINPUT
@@ -242,13 +236,7 @@ case "$1" in
 	/sbin/iptables -t nat -A POSTROUTING -j REDNAT
 
 	iptables_red
-	
-	# DMZ pinhole chain.  
-	# ORANGE to talk to GREEN / BLUE.
-	if [ "$ORANGE_DEV" != "" ]; then
-		/sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW
-	fi
-	
+		
 	# Custom prerouting chains (for transparent proxy and port forwarding)
 	/sbin/iptables -t nat -N SQUID
 	/sbin/iptables -t nat -A PREROUTING -j SQUID
@@ -279,12 +267,6 @@ case "$1" in
 		/etc/sysconfig/firewall.local start
 	fi
 	
-	# last rule in input and forward chain is for logging.
-
-	if [ "$DROPINPUT" == "on" ]; then
-		/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
-	fi
-		
 	#POLICY CHAIN
 	/sbin/iptables -N POLICYIN
 	/sbin/iptables -A INPUT -j POLICYIN