From: Alexander Marx <amarx@ipfire.org>
Date: Tue, 8 Jan 2013 10:20:39 +0000 (+0100)
Subject: Forward firewall: commented out line in init.d/firewall that all Forward traffic... 
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=fd10a52ca2860678368d162ce6b52b8c1cf25d0e

Forward firewall: commented out line in init.d/firewall that all Forward traffic from green is allowed and put it in rules.pl. Now rules.pl allows this traffic when firewall is set to Mode0 or Mode2
---

diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl
old mode 100644
new mode 100755
diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
index 8c9e2ba52..960951fc0 100755
--- a/config/forwardfw/rules.pl
+++ b/config/forwardfw/rules.pl
@@ -88,9 +88,11 @@ if($param eq 'flush'){
 	&preparerules;
 	if($MODE eq '0'){
 		if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
-			system ("iptables -A $CHAIN -j DROP"); 
+			#system ("iptables -A $CHAIN -j DROP"); 
 		}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
-			system ("iptables -A $CHAIN -j ACCEPT");
+			#system ("iptables -A $CHAIN -j ACCEPT");
+		}elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){
+			system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
 		}
 	}
 }
diff --git a/config/fwhosts/icmp-types b/config/fwhosts/icmp-types
old mode 100644
new mode 100755
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index f4cc2afa8..c1daa59b5 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -211,7 +211,7 @@ case "$1" in
 	/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A INPUT   -i $GREEN_DEV  -m state --state NEW -j ACCEPT ! -p icmp
-	/sbin/iptables -A FORWARD -i $GREEN_DEV  -m state --state NEW -j ACCEPT
+	#/sbin/iptables -A FORWARD -i $GREEN_DEV  -m state --state NEW -j ACCEPT
 
 	# If a host on orange tries to initiate a connection to IPFire's red IP and
 	# the connection gets DNATed back through a port forward to a server on orange
@@ -283,18 +283,12 @@ case "$1" in
 		/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
 	fi
 	/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
-	if [ "$DROPOUTPUT" == "on" ]; then
-		/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
-	fi
-	/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
-	
 	if [ "$DROPFORWARD" == "on" ]; then
-		/sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW "
+		/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
 	fi
-	/sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW"
-	
+	/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
 	
-        ;;
+	;;
   startovpn)  
 	# run openvpn
 	/usr/local/bin/openvpnctrl --create-chains-and-rules
@@ -326,14 +320,14 @@ case "$1" in
 		/sbin/iptables -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
 	fi
 	/sbin/iptables -A INPUT -j DROP -m comment --comment "DROP_INPUT"
-	if [ "$DROPOUTPUT" == "on" ]; then
-		/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
-	fi
-	/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
+	#if [ "$DROPOUTPUT" == "on" ]; then
+	#	/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
+	#fi
+	#/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT"
 	if [ "$DROPFORWARD" == "on" ]; then
 		/sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW "
 	fi
-	/sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW"
+	/sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW-oberdropper"
 	;;
   stopovpn)
 	# stop openvpn