From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 20 May 2014 09:41:23 +0000 (+0200)
Subject: firewall: Allow blocking access to GREEN from GREEN.
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=c0e0848f999ed8944ae551047fdea32bfee88d03;hp=8e59a6022bf7cb225c3509be2964833cce0e630c

firewall: Allow blocking access to GREEN from GREEN.
---

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 96b9b2fe5..4ba1ace8c 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -57,6 +57,9 @@ HAVE_OPENVPN="true"
 
 # INPUT
 
+# Allow access from GREEN
+iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+
 # IPsec INPUT
 case "${HAVE_IPSEC},${POLICY}" in
 	true,MODE1) ;;
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 853f195cf..7a18502bf 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -179,7 +179,10 @@ iptables_init() {
 	iptables -t nat -A POSTROUTING -j IPSECNAT
 
 	# localhost and ethernet.
-	iptables -A INPUT   -i $GREEN_DEV  -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+	# Always allow accessing the web GUI from GREEN.
+	iptables -N GUIINPUT
+	iptables -A INPUT -j GUIINPUT
+	iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
 
 	# WIRELESS chains
 	iptables -N WIRELESSINPUT