diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl index 4d8ee425d..522f281d9 100644 --- a/config/outgoingfw/outgoingfw.pl +++ b/config/outgoingfw/outgoingfw.pl @@ -76,7 +76,7 @@ close FILE; if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { $outfwsettings{'STATE'} = "ALLOW"; $POLICY = "DROP"; - $DO = "RETURN"; + $DO = "ACCEPT"; } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { $outfwsettings{'STATE'} = "DENY"; $POLICY = "ACCEPT"; @@ -93,9 +93,9 @@ if ( $outfwsettings{'POLICY'} eq 'MODE0' ) { } if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN"; + $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN"; + $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } } @@ -152,21 +152,22 @@ foreach $configentry (sort @configs) $MAC = "$configline[6]"; $CMD = "$CMD -m mac --mac-source $MAC"; } - + $CMD = "$CMD -o $netsettings{'RED_DEV'}"; + + if ($configline[9] eq "aktiv") { + if ($DEBUG) { + print "$CMD -m state --state NEW -m limit --limit 10/minute -j LOG --log-prefix 'OUTGOINGFW '\n"; + } else { + system("$CMD -m state --state NEW -m limit --limit 10/minute -j LOG --log-prefix 'OUTGOINGFW '"); + } + } + if ($DEBUG) { print "$CMD -j $DO\n"; } else { system("$CMD -j $DO"); } - - if ($configline[9] eq "log") { - if ($DEBUG) { - print "$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '\n"; - } else { - system("$CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '"); - } - } } } } @@ -187,7 +188,7 @@ foreach $p2pentry (sort @p2ps) $P2PSTRING = "$P2PSTRING --$p2pline[1]"; } } else { - $DO = "RETURN"; + $DO = "ACCEPT"; if ("$p2pline[2]" eq "on") { $P2PSTRING = "$P2PSTRING --$p2pline[1]"; } @@ -202,7 +203,7 @@ if ($P2PSTRING) { } if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - $CMD = "/sbin/iptables -A OUTGOINGFW -j DROP"; + $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -j DROP"; if ($DEBUG) { print "$CMD\n"; } else { diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index aca835736..f32f7a7e8 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -139,6 +139,8 @@ case "$1" in /sbin/iptables -A FORWARD -j CUSTOMFORWARD /sbin/iptables -N CUSTOMOUTPUT /sbin/iptables -A OUTPUT -j CUSTOMOUTPUT + /sbin/iptables -N OUTGOINGFW + /sbin/iptables -A OUTPUT -j OUTGOINGFW /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING /sbin/iptables -t nat -N CUSTOMPOSTROUTING @@ -159,6 +161,9 @@ case "$1" in /sbin/iptables -A INPUT -j OPENSSLVIRTUAL /sbin/iptables -A FORWARD -j IPSECVIRTUAL /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL + + # Outgoing Firewall + /sbin/iptables -A FORWARD -j OUTGOINGFW # localhost and ethernet. /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT diff --git a/src/initscripts/init.d/net/red/update b/src/initscripts/init.d/net/red/update index 4f2f379de..7c06c3df1 100644 --- a/src/initscripts/init.d/net/red/update +++ b/src/initscripts/init.d/net/red/update @@ -103,6 +103,7 @@ if [ -e "/var/ipfire/red/active" ]; then [ "$IFACE" != "" ] && ifconfig $IFACE -multicast /etc/rc.d/init.d/firewall reload /usr/local/bin/setfilters + /usr/local/bin/outgoingfwctrl /usr/local/bin/restartsnort red /usr/local/bin/qosctrl start /usr/local/bin/setportfw diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl index cd99c8597..caf10c0bd 100644 --- a/src/pakfire/lib/functions.pl +++ b/src/pakfire/lib/functions.pl @@ -478,7 +478,7 @@ sub senduuid { } logger("Sending my uuid: $Conf::uuid"); fetchfile("cgi-bin/counter?ver=$Conf::version&uuid=$Conf::uuid", "$Conf::mainserver"); - system("rm -f $Conf::cachedir/counter.cgi* 2>/dev/null"); + system("rm -f $Conf::cachedir/counter* 2>/dev/null"); } 1;