From 7f25a65fc1d53178453ad8cb820a9251a8755402 Mon Sep 17 00:00:00 2001
From: Alexander Marx <amarx@ipfire.org>
Date: Wed, 3 Jul 2013 14:38:40 +0200
Subject: [PATCH 1/1] Forward Firewall: moved default rules from FORWARDFW to
 POLICYFWD

---
 config/forwardfw/firewall-policy |  2 ++
 config/forwardfw/rules.pl        | 17 -----------------
 2 files changed, 2 insertions(+), 17 deletions(-)

diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
index 0a5cd14b0..459c1a554 100755
--- a/config/forwardfw/firewall-policy
+++ b/config/forwardfw/firewall-policy
@@ -30,6 +30,8 @@ else
 	if [  "$BLUE_DEV" ] && [ "$IFACE" ]; then
 		/sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP 
 	fi
+	/sbin/iptables -A POLICYFWD -s "$ORANGE_NETADDRESS"/"$ORANGE_NETMASK" -d "$BLUE_NETADDRESS"/"$BLUE_NETMASK" -j DROP
+	/sbin/iptables -A POLICYFWD -s "$ORANGE_NETADDRESS"/"$ORANGE_NETMASK" -d "$GREEN_NETADDRESS"/"$GREEN_NETMASK" -j DROP
 	/sbin/iptables -A POLICYFWD -j ACCEPT 
 	/sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
 fi
diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
index f13bb5f16..d62cca0d7 100755
--- a/config/forwardfw/rules.pl
+++ b/config/forwardfw/rules.pl
@@ -114,23 +114,6 @@ if($param eq 'flush'){
 			&p2pblock;
 			system ("/usr/sbin/firewall-policy"); 
 		}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
-			$defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
-			$green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
-			if ($defaultNetworks{'BLUE_DEV'}){
-				$defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
-				$blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
-				#set default rules for BLUE
-				system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
-			}
-			if ($defaultNetworks{'ORANGE_DEV'}){
-				$defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
-				$orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
-				#set default rules for DMZ
-				system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
-				if ($defaultNetworks{'BLUE_DEV'}){
-					system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
-				}
-			}
 			&p2pblock;
 			system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
 			system ("/usr/sbin/firewall-policy");
-- 
2.39.2