Forward Firewall: First part of adding OUTGOING to th efirewall

2026-04-09 18:45:54 +02:00 · 2013-02-17 13:58:35 +01:00
parent d7127db8fb
commit 5d7faa4518
11 changed files with 126 additions and 65 deletions
--- a/config/forwardfw/firewall-forward-policy
+++ b/config/forwardfw/firewall-forward-policy
@@ -1,24 +0,0 @@
-#!/bin/sh
-
-eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
-
-iptables -F POLICY
-
-if [ "$POLICY" == "MODE1" ]; then
-	
-		if [ "$FWPOLICY" == "REJECT" ]; then
-			if [ "$DROPFORWARD" == "on" ]; then
-				/sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
-			fi
-			/sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
-		fi
-		if [ "$FWPOLICY" == "DROP" ]; then
-			if [ "$DROPFORWARD" == "on" ]; then
-				/sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
-			fi
-			/sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT"
-		fi
-fi
-
-
--- a/config/forwardfw/firewall-lib.pl
+++ b/config/forwardfw/firewall-lib.pl
@@ -221,6 +221,8 @@ sub get_std_net_ip
 		return "$ovpnsettings{'DOVPN_SUBNET'}";
 	}elsif($val =~ /IPsec/i){
 		return "$ipsecsettings{'RW_NET'}";
+	}elsif($val eq 'IPFire'){
+		return ;
 	}
 }
 sub get_net_ip
--- a/config/forwardfw/firewall-policy
+++ b/config/forwardfw/firewall-policy
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+
+iptables -F POLICYFWD
+iptables -F POLICYOUT
+
+
+if [ "$POLICY" == "MODE1" ]; then
+		if [ "$FWPOLICY" == "REJECT" ]; then
+			if [ "$DROPFORWARD" == "on" ]; then
+				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
+			fi
+			/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
+		fi
+		if [ "$FWPOLICY" == "DROP" ]; then
+			if [ "$DROPFORWARD" == "on" ]; then
+				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+			fi
+			/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+		fi
+fi
+if [ "$POLICY1" == "MODE1" ]; then
+	/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
+		if [ "$FWPOLICY1" == "REJECT" ]; then
+			if [ "$DROPOUTGOING" == "on" ]; then
+				/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
+			fi
+				/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
+		fi
+		if [ "$FWPOLICY1" == "DROP" ]; then
+			if [ "$DROPOUTGOING" == "on" ]; then
+				/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
+			fi
+				/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+		fi
+fi
+
--- a/config/forwardfw/rules.pl
+++ b/config/forwardfw/rules.pl
@@ -42,6 +42,7 @@ our %sourcehash=();
 our %targethash=();
 my @timeframe=();
 my %configinputfw=();
+my %configoutgoingfw=();
 my %aliases=();
 my @DPROT=();
 my @p2ps=();
@@ -51,6 +52,7 @@ require "${General::swroot}/forward/bin/firewall-lib.pl";

 my $configfwdfw		= "${General::swroot}/forward/config";
 my $configinput	    = "${General::swroot}/forward/input";
+my $configoutgoing  = "${General::swroot}/forward/outgoing";
 my $p2pfile			= "${General::swroot}/forward/p2protocols";
 my $configgrp		= "${General::swroot}/fwhosts/customgroups";
 my $netsettings		= "${General::swroot}/ethernet/settings";
@@ -66,6 +68,7 @@ my $CHAIN="FORWARDFW";
 &General::readhash("$netsettings", \%defaultNetworks);
 &General::readhasharray($configfwdfw, \%configfwdfw);
 &General::readhasharray($configinput, \%configinputfw);
+&General::readhasharray($configoutgoing, \%configoutgoingfw);
 &General::readhasharray($configgrp, \%customgrp);
 &General::get_aliases(\%aliases);

@@ -95,7 +98,7 @@ if($param eq 'flush'){
 	if($MODE eq '0'){
 		if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
 			&p2pblock;
-			system ("/usr/sbin/firewall-forward-policy"); 
+			system ("/usr/sbin/firewall-policy"); 
 		}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
 			$defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
 			$green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
@@ -117,7 +120,7 @@ if($param eq 'flush'){
 			
 			&p2pblock;
 			system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
-			system ("/usr/sbin/firewall-forward-policy");
+			system ("/usr/sbin/firewall-policy");
 		}
 	}
 }
@@ -125,6 +128,7 @@ sub flush
 {
 	system ("iptables -F FORWARDFW");
 	system ("iptables -F INPUTFW");
+	system ("iptables -F OUTGOINGFW");
 }			
 sub preparerules
 {
@@ -134,6 +138,9 @@ sub preparerules
 	if (! -z  "${General::swroot}/forward/input"){
 		&buildrules(\%configinputfw);
 	}
+	if (! -z  "${General::swroot}/forward/outgoing"){
+		&buildrules(\%configoutgoingfw);
+	}
 }
 sub buildrules
 {
@@ -160,7 +167,6 @@ sub buildrules
 					}
 				}
 			}elsif($$hash{$key}[5] eq 'ipfire'){
-
 				if($$hash{$key}[6] eq 'Default IP'){
 					open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
 					$targethash{$key}[0]= <FILE>;
@@ -217,7 +223,7 @@ sub buildrules
 						foreach my $b (sort keys %targethash){
 							if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
 								if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
-									if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
+									if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
 									if ($$hash{$key}[17] eq 'ON'){
 										print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
 									}
@@ -237,7 +243,7 @@ sub buildrules
 						foreach my $b (sort keys %targethash){
 							if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
 								if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
-									if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
+									if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
 									if ($$hash{$key}[17] eq 'ON'){
 										system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
 									}
--- a/config/rootfiles/common/stage2
+++ b/config/rootfiles/common/stage2
@@ -109,7 +109,7 @@ usr/local/bin/update-lang-cache
 #usr/local/src
 #usr/sbin
 usr/sbin/ovpn-ccd-convert
-usr/sbin/firewall-forward-policy
+usr/sbin/firewall-policy
 usr/sbin/convert-xtaccess
 usr/sbin/convert-outgoingfw
 #usr/share
--- a/html/cgi-bin/forwardfw.cgi
+++ b/html/cgi-bin/forwardfw.cgi
@@ -105,8 +105,10 @@ my $ipgrp="${General::swroot}/outgoing/groups";
 if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'save'})
 {
 	my $MODE = $fwdfwsettings{'POLICY'};
+	my $MODE1 = $fwdfwsettings{'POLICY1'};
 	%fwdfwsettings = ();
 	$fwdfwsettings{'POLICY'} = "$MODE";
+	$fwdfwsettings{'POLICY1'} = "$MODE1";
 	&General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
 	&reread_rules;
 }
@@ -114,7 +116,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 {
 	&General::readhasharray("$configfwdfw", \%configfwdfw);
 	&General::readhasharray("$configinput", \%configinputfw);
-	&General::readhasharray("$configinput", \%configoutgoingfw);
+	&General::readhasharray("$configoutgoing", \%configoutgoingfw);
 	$errormessage=&checksource;
 	if(!$errormessage){&checktarget;}
 	if(!$errormessage){&checkrule;}
@@ -219,6 +221,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 		}
 		#check Rulepos on new Rule
 		if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){
+			print"CHECK OUTGOING DOPPELTE REGEL<br>";
 			$fwdfwsettings{'oldrulenumber'}=$maxkey;
 			foreach my $key (sort keys %configoutgoingfw){
 				if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}"
@@ -356,8 +359,29 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'})
 	&General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
 	unless (-e "${General::swroot}/forward/config")  	{ system("touch ${General::swroot}/forward/config"); }
 	unless (-e "${General::swroot}/forward/input")  	{ system("touch ${General::swroot}/forward/input"); }
+	my $MODE1=$fwdfwsettings{'POLICY1'};
 	%fwdfwsettings = ();
 	$fwdfwsettings{'POLICY'}='MODE2';
+	$fwdfwsettings{'POLICY1'}=$MODE1;
+	&General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+	&reread_rules;
+
+}
+if ($fwdfwsettings{'ACTION'} eq 'resetoutgoing')
+{
+	&General::readhasharray("$configoutgoing", \%configoutgoingfw);
+	foreach my $key (sort keys %configoutgoingfw){
+		&checkcounter($configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],,);
+		&checkcounter($configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],,);
+		&checkcounter($configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],,);
+	}
+	system("rm ${General::swroot}/forward/outgoing");
+	&General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
+	unless (-e "${General::swroot}/forward/outgoing")  	{ system("touch ${General::swroot}/forward/outgoing"); }
+	my $MODE=$fwdfwsettings{'POLICY'};
+	%fwdfwsettings = ();
+	$fwdfwsettings{'POLICY'}=$MODE;
+	$fwdfwsettings{'POLICY1'}='MODE2';
 	&General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
 	&reread_rules;

@@ -578,6 +602,8 @@ sub base
 {
 	if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; }
 	if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; }
+	if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; }
+	if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; }
 	&hint;
 	&addrule;
 	&p2pblock;
@@ -585,8 +611,8 @@ sub base
 print <<END;
 	<form method='post' action='$ENV{'SCRIPT_NAME'}'>
 	<table width='100%' border='0'>
+		<tr><td colspan='3' style='font-weight:bold;color:red;'>FORWARD </td></tr>
 		<tr><td colspan='3'>$Lang::tr{'fwdfw pol text'}</td></tr>
-		
 		<tr><td colspan='3'><hr /></td></tr>
 		<tr><td width='15%' align='left'>	<select name='POLICY' style="width: 100px">
 		<option value='MODE1' $selected{'POLICY'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
@@ -596,6 +622,21 @@ print <<END;
 END
 	print "$Lang::tr{'outgoing firewall reset'}: <input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />";
 	print "</table></form>";
+	print"<br><br>";
+	print <<END;
+	<form method='post' action='$ENV{'SCRIPT_NAME'}'>
+	<table width='100%' border='0'>
+		<tr><td colspan='3' style='font-weight:bold;color:red;'>OUTGOING </td></tr>
+		<tr><td colspan='3'>$Lang::tr{'fwdfw pol text1'}</td></tr>
+		<tr><td colspan='3'><hr /></td></tr>
+		<tr><td width='15%' align='left'>	<select name='POLICY1' style="width: 100px">
+		<option value='MODE1' $selected{'POLICY1'}{'MODE1'}>$Lang::tr{'fwdfw pol block'}</option>
+		<option value='MODE2' $selected{'POLICY1'}{'MODE2'}>$Lang::tr{'fwdfw pol allow'}</option></select>
+	    <td width='45%' align='left'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></form>
+	    <td width='45%' align='left'>
+END
+	print "$Lang::tr{'outgoing firewall reset'}: <form method='post' action='$ENV{'SCRIPT_NAME'}' style='display:inline'><input type='submit' value='$Lang::tr{'reset'}' /><input type='hidden' name='ACTION' value='resetoutgoing' />";
+	print "</table></form>";
 	&Header::closebox();
 }
 sub addrule
@@ -1805,8 +1846,6 @@ sub viewtablerule
 {
 	
 	&viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" );
-	&viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" );
-	&viewtablenew(\%configfwdfw,$configfwdfw,'',"WLAN" );
 	&viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} );
 	&viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" );
 }
@@ -1818,23 +1857,7 @@ sub viewtablenew
 	my $title1=shift;
 	my $go='';
 	&General::readhasharray("$config", $hash);
-	#check if there are DMZ entries
-	if ($title1 eq 'DMZ'){
-		foreach my $key (keys %$hash){
-			if ($$hash{$key}[4] eq 'ORANGE'){$go='on';last} 
-		}
-	}elsif($title1 eq 'WLAN'){
-		foreach my $key (keys %$hash){
-			if ($$hash{$key}[4] eq 'BLUE'){$go='on';last} 
-		}
-	}elsif($title1 eq 'Forward'){
-		foreach my $key (keys %$hash){
-			if (($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[4] ne 'BLUE')){$go='on';last} 
-		}
-	}elsif( ! -z $config){
-		$go='on';
-	}
-	if($go ne ''){
+	if( ! -z $config){
 		&Header::openbox('100%', 'left',$title);
 		my $count=0;
 		my ($gif,$log);
@@ -1844,13 +1867,9 @@ sub viewtablenew
 		my @tmpsrc=();
 		my $coloryellow='';
 		print"<b>$title1</b><br>";
-		print"<table width='100%' border='0' cellspacing='1' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
+		print"<table width='100%' style='border: 1px solid  #000000;' rules='none'; padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;'>";
 		print"<tr><td align='center' width='1%'><b>#</td><td width='1%'></td><td align='center' ><b>$Lang::tr{'fwdfw source'}</td><td width='1%'><b>Log</td><td align='center' width='20%'><b>$Lang::tr{'fwdfw target'}</td><td align='center'><b>$Lang::tr{'protocol'}</b></td><td align='center' width='70%'><b>$Lang::tr{'remark'}</td><td align='center' colspan='3' width='1%'><b>$Lang::tr{'fwdfw action'}</td></tr>";
 		foreach my $key (sort  {$a <=> $b} keys %$hash){
-			#check if we have a FORWARDFW OR DMZ RULE
-			if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE')){next;}
-			if ($title1 eq 'WLAN' && ($$hash{$key}[4] ne 'BLUE')){next;}
-			if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE')){next;}
 			@tmpsrc=();
 			#check if vpn hosts/nets have been deleted
 			if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -31,6 +31,7 @@ $settings{'DISABLEPING'} = 'NO';
 $settings{'DROPNEWNOTSYN'} = 'on';
 $settings{'DROPINPUT'} = 'on';
 $settings{'DROPFORWARD'} = 'on';
+$settings{'DROPOUTGOING'} = 'on';
 $settings{'DROPPORTSCAN'} = 'on';
 $settings{'DROPWIRELESSINPUT'} = 'on';
 $settings{'DROPWIRELESSFORWARD'} = 'on';
@@ -72,6 +73,9 @@ $checked{'DROPINPUT'}{$settings{'DROPINPUT'}} = "checked='checked'";
 $checked{'DROPFORWARD'}{'off'} = '';
 $checked{'DROPFORWARD'}{'on'} = '';
 $checked{'DROPFORWARD'}{$settings{'DROPFORWARD'}} = "checked='checked'";
+$checked{'DROPOUTGOING'}{'off'} = '';
+$checked{'DROPOUTGOING'}{'on'} = '';
+$checked{'DROPOUTGOING'}{$settings{'DROPOUTGOING'}} = "checked='checked'";
 $checked{'DROPPORTSCAN'}{'off'} = '';
 $checked{'DROPPORTSCAN'}{'on'} = '';
 $checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'";
@@ -102,6 +106,8 @@ print <<END
 																						<input type='radio' name='DROPINPUT' value='off' $checked{'DROPINPUT'}{'off'} /> off</td></tr>
 <tr><td align='left' width='60%'>$Lang::tr{'drop forward'}</td><td align='left'>on <input type='radio' name='DROPFORWARD' value='on' $checked{'DROPFORWARD'}{'on'} />/
 																						<input type='radio' name='DROPFORWARD' value='off' $checked{'DROPFORWARD'}{'off'} /> off</td></tr>
+<tr><td align='left' width='60%'>$Lang::tr{'drop outgoing'}</td><td align='left'>on <input type='radio' name='DROPOUTGOING' value='on' $checked{'DROPOUTGOING'}{'on'} />/
+																						<input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> off</td></tr>																						
 <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>on <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
 																						<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> off</td></tr>
 <tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>on <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
@@ -124,6 +130,10 @@ print <<END
 <option value='DROP' $selected{'FWPOLICY'}{'DROP'}>DROP</option>
 <option value='REJECT' $selected{'FWPOLICY'}{'REJECT'}>REJECT</option></select>
 </td></tr>
+<tr><td align='left' width='60%'>$Lang::tr{'drop action1'}</td><td><select name='FWPOLICY1'>
+<option value='DROP' $selected{'FWPOLICY1'}{'DROP'}>DROP</option>
+<option value='REJECT' $selected{'FWPOLICY1'}{'REJECT'}>REJECT</option></select>
+</td></tr>
 </table>

 <br />
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -746,10 +746,12 @@
 'download root certificate' => 'Root-Zertifikat herunterladen',
 'dpd action' => 'Aktion für Dead Peer Detection',
 'driver' => 'Treiber',
-'drop action' => 'Standardverhalten der Firewall in Modus "Blocked"',
+'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"',
+'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"',
 'drop input' => 'Verworfene Input Pakete loggen',
 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
-'drop forward' => 'Verworfene Firewall-Pakete loggen',
+'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen',
+'drop outgoing' => 'Verworfene (Outgoing) Firewall-Pakete loggen',
 'drop portscan' => 'Verworfene Portscan Pakete loggen',
 'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind',
 'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025',
@@ -926,6 +928,7 @@
 'fwdfw pol block'		=> 'Blockiert',
 'fwdfw pol title'		=> 'Standardverhalten der Firewall',
 'fwdfw pol text'		=> 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.',
+'fwdfw pol text1'		=> 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.',
 'fwdfw reread'			=> 'Übernehmen',
 'fwdfw rules'			=> 'Regeln',
 'fwdfw rule action' 	=> 'Regel Aktion:',
@@ -1018,7 +1021,7 @@
 'fwhost ovpn_n2n'		=> 'OpenVPN N-2-N',
 'fwhost port'			=> 'Port(s)',
 'fwhost prot'			=> 'Protokoll',
-'fwhost reread'			=> 'Die Firewallregeln müssen neu eingelesen werden. Bitte Übernehmen klicken.',
+'fwhost reread'			=> 'Die Firewallregeln müssen neu eingelesen werden.',
 'fwhost reset'			=> 'Abbrechen',
 'fwhost services'		=> 'Dienste',
 'fwhost srv_name'		=> 'Dienstname',
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -771,7 +771,8 @@
 'download root certificate' => 'Download root certificate',
 'dpd action' => 'Dead Peer Detection action',
 'driver' => 'Driver',
-'drop action' => 'Default behaviour of firewall in mode "Blocked"',
+'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"',
+'drop action' => 'Default behaviour of (outgoing) firewall in mode "Blocked"',
 'drop input' => 'Log dropped input pakets',
 'drop newnotsyn' => 'Log dropped new not syn pakets',
 'drop forward' => 'Log dropped forward pakets',
@@ -952,6 +953,7 @@
 'fwdfw pol block'		=> 'Blocked',
 'fwdfw pol title'		=> 'Firewall default behavior',
 'fwdfw pol text'		=> 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.',
+'fwdfw pol text1'		=> 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! YOu can lock yourself out with these settings. Normally there is no need to change anything here.',
 'fwdfw reread'			=> 'Apply',
 'fwdfw rules'			=> 'Rules',
 'fwdfw rule action' 	=> 'Rule action:',
@@ -1045,7 +1047,7 @@
 'fwhost ovpn_n2n'		=> 'OpenVPN N-2-N',
 'fwhost port'			=> 'Port(s)',
 'fwhost prot'			=> 'Protocol',
-'fwhost reread'			=> 'Firewallrules need to be updated. Please click applybutton.',
+'fwhost reread'			=> 'Firewallrules need to be updated.',
 'fwhost reset'			=> 'Cancel',
 'fwhost services'		=> 'Services',
 'fwhost srv_name'		=> 'Servicename',
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -105,7 +105,7 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw	/usr/sbin/convert-outgoingfw
 	cp $(DIR_SRC)/config/forwardfw/p2protocols		$(CONFIG_ROOT)/forward/p2protocols
 	cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl	$(CONFIG_ROOT)/forward/bin/firewall-lib.pl
-	cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy	/usr/sbin/firewall-forward-policy
+	cp $(DIR_SRC)/config/forwardfw/firewall-policy	/usr/sbin/firewall-policy
 	cp $(DIR_SRC)/config/fwhosts/icmp-types			$(CONFIG_ROOT)/fwhosts/icmp-types
 	cp $(DIR_SRC)/config/fwhosts/customservices		$(CONFIG_ROOT)/fwhosts/customservices
 	# Oneliner configfiles
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -153,6 +153,7 @@ case "$1" in
 	/sbin/iptables -N OUTGOINGFW
 	/sbin/iptables -N OUTGOINGFWMAC
 	/sbin/iptables -A OUTPUT -j OUTGOINGFW
+	/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT
 	/sbin/iptables -t nat -N CUSTOMPREROUTING
 	/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
 	/sbin/iptables -t nat -N CUSTOMPOSTROUTING
@@ -295,10 +296,13 @@ case "$1" in
 	#/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD"
 	
 	#POLICY CHAIN
-	/sbin/iptables -N POLICY
-	/sbin/iptables -A FORWARD -j POLICY
+	/sbin/iptables -N POLICYFWD
+	/sbin/iptables -A FORWARD -j POLICYFWD
+	/sbin/iptables -N POLICYOUT
+	/sbin/iptables -A OUTPUT -j POLICYOUT
 	
-	/usr/sbin/firewall-forward-policy
+	
+	/usr/sbin/firewall-policy
 	;;
  startovpn)  
 	# run openvpn