From 6be0579b189df15a1e6775462c0945c41043801b Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 3 Jan 2013 17:30:11 +0100 Subject: [PATCH] Forward Firewall: replaced Outgoing-Logging with ForwardFW Logging. And changed Options in optionsfw.cgi from outgoing to forward --- html/cgi-bin/optionsfw.cgi | 12 ++++++------ src/initscripts/init.d/firewall | 13 ++++++++++++- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 189395726..66ebb1caa 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -30,7 +30,7 @@ our %settings=(); $settings{'DISABLEPING'} = 'NO'; $settings{'DROPNEWNOTSYN'} = 'on'; $settings{'DROPINPUT'} = 'on'; -$settings{'DROPOUTPUT'} = 'on'; +$settings{'DROPFORWARD'} = 'on'; $settings{'DROPPORTSCAN'} = 'on'; $settings{'DROPWIRELESSINPUT'} = 'on'; $settings{'DROPWIRELESSFORWARD'} = 'on'; @@ -66,9 +66,9 @@ $checked{'DROPNEWNOTSYN'}{$settings{'DROPNEWNOTSYN'}} = "checked='checked'"; $checked{'DROPINPUT'}{'off'} = ''; $checked{'DROPINPUT'}{'on'} = ''; $checked{'DROPINPUT'}{$settings{'DROPINPUT'}} = "checked='checked'"; -$checked{'DROPOUTPUT'}{'off'} = ''; -$checked{'DROPOUTPUT'}{'on'} = ''; -$checked{'DROPOUTPUT'}{$settings{'DROPOUTPUT'}} = "checked='checked'"; +$checked{'DROPFORWARD'}{'off'} = ''; +$checked{'DROPFORWARD'}{'on'} = ''; +$checked{'DROPFORWARD'}{$settings{'DROPFORWARD'}} = "checked='checked'"; $checked{'DROPPORTSCAN'}{'off'} = ''; $checked{'DROPPORTSCAN'}{'on'} = ''; $checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'"; @@ -96,8 +96,8 @@ print < off $Lang::tr{'drop input'}on / off -$Lang::tr{'drop output'}on / - off +$Lang::tr{'drop forward'}on / + off $Lang::tr{'drop portscan'}on / off $Lang::tr{'drop wirelessinput'}on / diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 4287d33f1..f4cc2afa8 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -287,6 +287,13 @@ case "$1" in /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " fi /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" + + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW " + fi + /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW" + + ;; startovpn) # run openvpn @@ -323,7 +330,11 @@ case "$1" in /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT " fi /sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_OUTPUT" - ;; + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A FORWARDFW -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARDFW " + fi + /sbin/iptables -A FORWARDFW -j DROP -m comment --comment "DROP_FORWARDFW" + ;; stopovpn) # stop openvpn /usr/local/bin/openvpnctrl --delete-chains-and-rules -- 2.39.2