webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 11:43:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

firewall: fix faulty masquerading packets

Browse Source
This commit is contained in:
Timo Eissler
2014-08-07 19:00:58 +02:00
committed by Michael Tremer
parent 4616eccece
commit 4b12aa414c
4 changed files with 33 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lfs/initscripts
View File

@@ -187,7 +187,6 @@ $(TARGET) :
/etc/rc.d/init.d/networking/red.up/24-RS-qos /etc/rc.d/init.d/networking/red.up/24-RS-qos
ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid
ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall
for i in green blue orange; do \ for i in green blue orange; do \
ln -sf any /etc/rc.d/init.d/networking/$$i; \ ln -sf any /etc/rc.d/init.d/networking/$$i; \

31
src/initscripts/init.d/firewall
View File

@@ -277,10 +277,16 @@ iptables_init() {
/usr/sbin/firewall-policy /usr/sbin/firewall-policy
# Install firewall rules for the red interface. # Install firewall rules for the red interface.
iptables_red iptables_red_up
# If red has not been brought up yet, we will
# add the blocking rules for MASQUERADE
if [ ! -e "/var/ipfire/red/active" ]; then
iptables_red_down
fi
} }
iptables_red() { iptables_red_up() {
iptables -F REDINPUT iptables -F REDINPUT
iptables -F REDFORWARD iptables -F REDFORWARD
iptables -t nat -F REDNAT iptables -t nat -F REDNAT
@@ -358,6 +364,18 @@ iptables_red() {
/usr/local/bin/firewallctrl /usr/local/bin/firewallctrl
} }
iptables_red_down() {
# Prohibit packets to reach the masquerading rule
# while the wan interface is down - this is required to
# circumvent udp related NAT issues
# http://forum.ipfire.org/index.php?topic=11127.0
iptables -F REDFORWARD
iptables -A REDFORWARD -o $IFACE -j DROP
# Reload all rules.
/usr/local/bin/firewallctrl
}
# See how we were called. # See how we were called.
case "$1" in case "$1" in
start) start)
@@ -388,9 +406,9 @@ case "$1" in
/etc/sysconfig/firewall.local start /etc/sysconfig/firewall.local start
fi fi
;; ;;
reload) reload|up)
boot_mesg "Reloading firewall" boot_mesg "Reloading firewall"
iptables_red iptables_red_up
evaluate_retval evaluate_retval
# run local firewall configuration, if present # run local firewall configuration, if present
@@ -398,6 +416,11 @@ case "$1" in
/etc/sysconfig/firewall.local reload /etc/sysconfig/firewall.local reload
fi fi
;; ;;
down)
boot_mesg "Disabling firewall access to RED"
iptables_red_down
evaluate_retval
;;
restart) restart)
# run local firewall configuration, if present # run local firewall configuration, if present
if [ -x /etc/sysconfig/firewall.local ]; then if [ -x /etc/sysconfig/firewall.local ]; then

3
src/initscripts/init.d/networking/red.down/20-firewall Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
exec /etc/rc.d/init.d/firewall down

3
src/initscripts/init.d/networking/red.up/20-firewall Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
exec /etc/rc.d/init.d/firewall up