From 218b3341b6fd9da564ee876c08d8bf2c1b0ec78d Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 21 Mar 2013 17:34:30 +0100 Subject: [PATCH] Forward Firewall: cleanup of initscript. Fixes double log entries when INPUT is set to REJECT --- html/cgi-bin/forwardfw.cgi | 2 +- src/initscripts/init.d/firewall | 22 ++-------------------- 2 files changed, 3 insertions(+), 21 deletions(-) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 1f2af8cd9..3f4ad306b 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.8.8'; +my $VERSION='0.9.8.9'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 18dea0ab8..7e3248147 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -204,13 +204,7 @@ case "$1" in /sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP /sbin/iptables -A INPUT -i $GREEN_DEV -m state --state NEW -j ACCEPT ! -p icmp - #/sbin/iptables -A FORWARD -i $GREEN_DEV -m state --state NEW -j ACCEPT - - # If a host on orange tries to initiate a connection to IPFire's red IP and - # the connection gets DNATed back through a port forward to a server on orange - # we end up with orange -> orange traffic passing through IPFire - [ "$ORANGE_DEV" != "" ] && /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $ORANGE_DEV -m state --state NEW -j ACCEPT - + # allow DHCP on BLUE to be turned on/off /sbin/iptables -N DHCPBLUEINPUT /sbin/iptables -A INPUT -j DHCPBLUEINPUT @@ -242,13 +236,7 @@ case "$1" in /sbin/iptables -t nat -A POSTROUTING -j REDNAT iptables_red - - # DMZ pinhole chain. - # ORANGE to talk to GREEN / BLUE. - if [ "$ORANGE_DEV" != "" ]; then - /sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW - fi - + # Custom prerouting chains (for transparent proxy and port forwarding) /sbin/iptables -t nat -N SQUID /sbin/iptables -t nat -A PREROUTING -j SQUID @@ -279,12 +267,6 @@ case "$1" in /etc/sysconfig/firewall.local start fi - # last rule in input and forward chain is for logging. - - if [ "$DROPINPUT" == "on" ]; then - /sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT " - fi - #POLICY CHAIN /sbin/iptables -N POLICYIN /sbin/iptables -A INPUT -j POLICYIN -- 2.39.2