From c0e0848f999ed8944ae551047fdea32bfee88d03 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 20 May 2014 11:41:23 +0200
Subject: [PATCH 1/1] firewall: Allow blocking access to GREEN from GREEN.

---
 config/firewall/firewall-policy | 3 +++
 src/initscripts/init.d/firewall | 5 ++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 96b9b2fe5..4ba1ace8c 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -57,6 +57,9 @@ HAVE_OPENVPN="true"
 
 # INPUT
 
+# Allow access from GREEN
+iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+
 # IPsec INPUT
 case "${HAVE_IPSEC},${POLICY}" in
 	true,MODE1) ;;
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 853f195cf..7a18502bf 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -179,7 +179,10 @@ iptables_init() {
 	iptables -t nat -A POSTROUTING -j IPSECNAT
 
 	# localhost and ethernet.
-	iptables -A INPUT   -i $GREEN_DEV  -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+	# Always allow accessing the web GUI from GREEN.
+	iptables -N GUIINPUT
+	iptables -A INPUT -j GUIINPUT
+	iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
 
 	# WIRELESS chains
 	iptables -N WIRELESSINPUT
-- 
2.39.2