From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 22 May 2014 21:11:43 +0000 (+0200)
Subject: Merge remote-tracking branch 'ms/firewall-block-green' into next
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=fded6faa72d581114e25ddb17bcc607625736fdc;hp=9d707db06eef14a519ed1e5091a6d12f50b452d4

Merge remote-tracking branch 'ms/firewall-block-green' into next
---

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 96b9b2fe5..4ba1ace8c 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -57,6 +57,9 @@ HAVE_OPENVPN="true"
 
 # INPUT
 
+# Allow access from GREEN
+iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+
 # IPsec INPUT
 case "${HAVE_IPSEC},${POLICY}" in
 	true,MODE1) ;;
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 837178110..7a18502bf 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -120,10 +120,10 @@ iptables_init() {
 	iptables -N IPTVFORWARD
 	iptables -A FORWARD -j IPTVFORWARD
 
-	# filtering from GUI
-	iptables -N GUIINPUT
-	iptables -A INPUT -j GUIINPUT
-	iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+	# Allow to ping the firewall.
+	iptables -N ICMPINPUT
+	iptables -A INPUT -j ICMPINPUT
+	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
 
 	# Accept everything on loopback
 	iptables -N LOOPBACK
@@ -179,7 +179,10 @@ iptables_init() {
 	iptables -t nat -A POSTROUTING -j IPSECNAT
 
 	# localhost and ethernet.
-	iptables -A INPUT   -i $GREEN_DEV  -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+	# Always allow accessing the web GUI from GREEN.
+	iptables -N GUIINPUT
+	iptables -A INPUT -j GUIINPUT
+	iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
 
 	# WIRELESS chains
 	iptables -N WIRELESSINPUT