From: Michael Tremer Date: Mon, 10 Mar 2014 18:40:20 +0000 (+0100) Subject: firewall: Add auxiliary rules for firewall access. X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=e9b5ba417924d00309736ca045997c5dec7ce4d3 firewall: Add auxiliary rules for firewall access. Rules for accessing the firewall are added when access to networks (GREEN, BLUE, ...) the firewall resides in is allowed. --- diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 4bb40a4f9..51ddb446a 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -278,6 +278,11 @@ sub buildrules { # Add time constraint options. push(@options, @time_options); + my $firewall_is_in_source_subnet = 0; + if ($source) { + $firewall_is_in_source_subnet = &firewall_is_in_subnet($source); + } + # Process NAT rules. if ($NAT) { my $nat_address = &get_nat_address($$hash{$key}[29]); @@ -326,6 +331,14 @@ sub buildrules { } push(@options, @source_options); + + if ($firewall_is_in_source_subnet && ($fwdfwsettings{"POLICY"} eq "MODE1") && ($chain eq $CHAIN_FORWARD)) { + if ($LOG && !$NAT) { + run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); + } + run("$IPTABLES -A $CHAIN_INPUT @options -j $target"); + } + push(@options, @destination_options); # Insert firewall rule. @@ -781,3 +794,26 @@ sub make_log_limit_options { return @options; } + +sub firewall_is_in_subnet { + my $subnet = shift; + + my ($net_address, $net_mask) = split("/", $subnet); + if (!$net_mask) { + return 0; + } + + # ORANGE is missing here, because nothing may ever access + # the firewall from this network. + foreach my $zone ("GREEN", "BLUE") { + next unless (exists $defaultNetworks{$zone . "_ADDRESS"}); + + my $zone_address = $defaultNetworks{$zone . "_ADDRESS"}; + + if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) { + return 1; + } + } + + return 0; +}