Ausgehende Firewall aktiviert, kann nun getestet werden.

git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@616 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8

config/outgoingfw/outgoingfw.pl

@@ -76,7 +76,7 @@ close FILE;
 if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
 	$outfwsettings{'STATE'} = "ALLOW";
 	$POLICY = "DROP";
-	$DO = "RETURN";
+	$DO = "ACCEPT";
 } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
 	$outfwsettings{'STATE'} = "DENY";
 	$POLICY = "ACCEPT";
@@ -93,9 +93,9 @@ if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
 }
 
 if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
-	$CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN";
+	$CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT";
 	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
-		$CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN";
+		$CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT";
 	if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
 }
 
@@ -152,21 +152,22 @@ foreach $configentry (sort @configs)
 				$MAC = "$configline[6]";
 			 	$CMD = "$CMD -m mac --mac-source $MAC";
 			}
-	
+			
 			$CMD = "$CMD -o $netsettings{'RED_DEV'}";
+
+			if ($configline[9] eq "aktiv") {
+				if ($DEBUG) {
+					print "$CMD -m state --state NEW -m limit --limit 10/minute -j LOG --log-prefix 'OUTGOINGFW '\n";
+				} else {
+					system("$CMD -m state --state NEW -m limit --limit 10/minute -j LOG --log-prefix 'OUTGOINGFW '");
+				}
+			}
+			
 			if ($DEBUG) {
 				print "$CMD -j $DO\n";
 			} else {
 				system("$CMD -j $DO");
 			}
-			
-			if ($configline[9] eq "log") {
-				if ($DEBUG) {
-					print "$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '\n";
-				} else {
-					system("$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '");
-				}
-			}
     }
 	}
 }
@@ -187,7 +188,7 @@ foreach $p2pentry (sort @p2ps)
 			$P2PSTRING = "$P2PSTRING --$p2pline[1]";
 		}
 	} else {
-		$DO = "RETURN";
+		$DO = "ACCEPT";
 		if ("$p2pline[2]" eq "on") {
 			$P2PSTRING = "$P2PSTRING --$p2pline[1]";
 		}
@@ -202,7 +203,7 @@ if ($P2PSTRING) {
 }
 
 if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
-	$CMD = "/sbin/iptables -A OUTGOINGFW -j DROP";
+	$CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -j DROP";
 	if ($DEBUG) {
 		print "$CMD\n";
 	} else {

src/initscripts/init.d/firewall

@@ -139,6 +139,8 @@ case "$1" in
 	/sbin/iptables -A FORWARD -j CUSTOMFORWARD
 	/sbin/iptables -N CUSTOMOUTPUT
 	/sbin/iptables -A OUTPUT -j CUSTOMOUTPUT
+	/sbin/iptables -N OUTGOINGFW
+	/sbin/iptables -A OUTPUT -j OUTGOINGFW
 	/sbin/iptables -t nat -N CUSTOMPREROUTING
 	/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
 	/sbin/iptables -t nat -N CUSTOMPOSTROUTING
@@ -159,6 +161,9 @@ case "$1" in
 	/sbin/iptables -A INPUT -j OPENSSLVIRTUAL
 	/sbin/iptables -A FORWARD -j IPSECVIRTUAL
 	/sbin/iptables -A FORWARD -j OPENSSLVIRTUAL
+	
+	# Outgoing Firewall
+	/sbin/iptables -A FORWARD -j OUTGOINGFW
 
 	# localhost and ethernet.
 	/sbin/iptables -A INPUT   -i lo          -m state --state NEW -j ACCEPT

src/initscripts/init.d/net/red/update

@@ -103,6 +103,7 @@ if [ -e "/var/ipfire/red/active" ]; then
 	[ "$IFACE" != "" ] && ifconfig $IFACE -multicast
 	/etc/rc.d/init.d/firewall reload
 	/usr/local/bin/setfilters
+	/usr/local/bin/outgoingfwctrl
 	/usr/local/bin/restartsnort red
 	/usr/local/bin/qosctrl start
 	/usr/local/bin/setportfw

src/pakfire/lib/functions.pl

@@ -478,7 +478,7 @@ sub senduuid {
 	}
 	logger("Sending my uuid: $Conf::uuid");
 	fetchfile("cgi-bin/counter?ver=$Conf::version&uuid=$Conf::uuid", "$Conf::mainserver");
-	system("rm -f $Conf::cachedir/counter.cgi* 2>/dev/null");
+	system("rm -f $Conf::cachedir/counter* 2>/dev/null");
 }
 
 1;