From 12dcfbbdbe38f8b81a3969f70516511ec779d011 Mon Sep 17 00:00:00 2001
From: Alexander Marx <amarx@ipfire.org>
Date: Mon, 11 Feb 2013 05:51:42 +0100
Subject: [PATCH] Forward Firewall: Portfw now working and firewall closed
 correctly

---
 html/cgi-bin/fwhosts.cgi        |  3 ++-
 src/initscripts/init.d/firewall | 13 ++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index 1ace2692e..face57b32 100755
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -1400,7 +1400,7 @@ sub viewtablegrp
 	my $count=1;
 	my $grpname;
 	my $remark;
-	my $number=1;
+	my $number;
 	if (!keys %customgrp) 
 	{ 
 		print "<center><b>$Lang::tr{'fwhost empty'}</b>"; 
@@ -1446,6 +1446,7 @@ sub viewtablegrp
 			print"<input type='hidden' name='ACTION' value='deletegrphost'><input type='hidden' name='delhost' value='$grpname,$remark,$customgrp{$key}[2],$customgrp{$key}[3]'></form></td></tr>";
 			
 			$helper=$customgrp{$key}[0];
+			$number++;
 		}
 		print"</table>";
 		
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index c2308d3c0..ed7509ff2 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -211,7 +211,7 @@ case "$1" in
 	/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A INPUT   -i $GREEN_DEV  -m state --state NEW -j ACCEPT ! -p icmp
-	/sbin/iptables -A FORWARD -i $GREEN_DEV  -m state --state NEW -j ACCEPT
+	#/sbin/iptables -A FORWARD -i $GREEN_DEV  -m state --state NEW -j ACCEPT
 
 	# If a host on orange tries to initiate a connection to IPFire's red IP and
 	# the connection gets DNATed back through a port forward to a server on orange
@@ -227,7 +227,11 @@ case "$1" in
 	/sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
 	/sbin/iptables -N WIRELESSFORWARD
 	/sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
-
+	
+	# PORTFWACCESS chain, used for portforwarding
+	/sbin/iptables -N PORTFWACCESS
+	/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
+	
 	# OPenSSL
 	/sbin/iptables -N OPENSSLPHYSICAL
 	/sbin/iptables -A INPUT -j OPENSSLPHYSICAL
@@ -244,15 +248,10 @@ case "$1" in
 	
 	# DMZ pinhole chain.  
 	# ORANGE to talk to GREEN / BLUE.
-
 	if [ "$ORANGE_DEV" != "" ]; then
 		/sbin/iptables -A FORWARD -i $ORANGE_DEV -m state --state NEW -j FORWARDFW
 	fi
 	
-	# PORTFWACCESS chain, used for portforwarding
-	/sbin/iptables -N PORTFWACCESS
-	/sbin/iptables -A FORWARD -m state --state NEW -j PORTFWACCESS
-
 	# Custom prerouting chains (for transparent proxy and port forwarding)
 	/sbin/iptables -t nat -N SQUID
 	/sbin/iptables -t nat -A PREROUTING -j SQUID