diff --git a/config/forwardfw/firewall-forward-policy b/config/forwardfw/firewall-forward-policy deleted file mode 100755 index aec71e29b..000000000 --- a/config/forwardfw/firewall-forward-policy +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh - -eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) -eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) - -iptables -F POLICY - -if [ "$POLICY" == "MODE1" ]; then - - if [ "$FWPOLICY" == "REJECT" ]; then - if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" - fi - /sbin/iptables -A POLICY -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" - fi - if [ "$FWPOLICY" == "DROP" ]; then - if [ "$DROPFORWARD" == "on" ]; then - /sbin/iptables -A POLICY -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" - fi - /sbin/iptables -A POLICY -j DROP -m comment --comment "DROP_OUTPUT" - fi -fi - - diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl index eb84c4af4..9f806850e 100755 --- a/config/forwardfw/firewall-lib.pl +++ b/config/forwardfw/firewall-lib.pl @@ -221,6 +221,8 @@ sub get_std_net_ip return "$ovpnsettings{'DOVPN_SUBNET'}"; }elsif($val =~ /IPsec/i){ return "$ipsecsettings{'RW_NET'}"; + }elsif($val eq 'IPFire'){ + return ; } } sub get_net_ip diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy new file mode 100755 index 000000000..e96278a16 --- /dev/null +++ b/config/forwardfw/firewall-policy @@ -0,0 +1,39 @@ +#!/bin/sh + +eval $(/usr/local/bin/readhash /var/ipfire/forward/settings) +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) + +iptables -F POLICYFWD +iptables -F POLICYOUT + + +if [ "$POLICY" == "MODE1" ]; then + if [ "$FWPOLICY" == "REJECT" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD" + fi + /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD" + fi + if [ "$FWPOLICY" == "DROP" ]; then + if [ "$DROPFORWARD" == "on" ]; then + /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD" + fi + /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + fi +fi +if [ "$POLICY1" == "MODE1" ]; then + /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT + if [ "$FWPOLICY1" == "REJECT" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT" + fi + /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT" + fi + if [ "$FWPOLICY1" == "DROP" ]; then + if [ "$DROPOUTGOING" == "on" ]; then + /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT" + fi + /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" + fi +fi + diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index ddcd560c1..ffdb6c2ce 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -42,6 +42,7 @@ our %sourcehash=(); our %targethash=(); my @timeframe=(); my %configinputfw=(); +my %configoutgoingfw=(); my %aliases=(); my @DPROT=(); my @p2ps=(); @@ -51,6 +52,7 @@ require "${General::swroot}/forward/bin/firewall-lib.pl"; my $configfwdfw = "${General::swroot}/forward/config"; my $configinput = "${General::swroot}/forward/input"; +my $configoutgoing = "${General::swroot}/forward/outgoing"; my $p2pfile = "${General::swroot}/forward/p2protocols"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $netsettings = "${General::swroot}/ethernet/settings"; @@ -66,6 +68,7 @@ my $CHAIN="FORWARDFW"; &General::readhash("$netsettings", \%defaultNetworks); &General::readhasharray($configfwdfw, \%configfwdfw); &General::readhasharray($configinput, \%configinputfw); +&General::readhasharray($configoutgoing, \%configoutgoingfw); &General::readhasharray($configgrp, \%customgrp); &General::get_aliases(\%aliases); @@ -95,7 +98,7 @@ if($param eq 'flush'){ if($MODE eq '0'){ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ &p2pblock; - system ("/usr/sbin/firewall-forward-policy"); + system ("/usr/sbin/firewall-policy"); }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'}); $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}"; @@ -117,7 +120,7 @@ if($param eq 'flush'){ &p2pblock; system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT"); - system ("/usr/sbin/firewall-forward-policy"); + system ("/usr/sbin/firewall-policy"); } } } @@ -125,6 +128,7 @@ sub flush { system ("iptables -F FORWARDFW"); system ("iptables -F INPUTFW"); + system ("iptables -F OUTGOINGFW"); } sub preparerules { @@ -134,6 +138,9 @@ sub preparerules if (! -z "${General::swroot}/forward/input"){ &buildrules(\%configinputfw); } + if (! -z "${General::swroot}/forward/outgoing"){ + &buildrules(\%configoutgoingfw); + } } sub buildrules { @@ -160,7 +167,6 @@ sub buildrules } } }elsif($$hash{$key}[5] eq 'ipfire'){ - if($$hash{$key}[6] eq 'Default IP'){ open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.'; $targethash{$key}[0]= ; @@ -217,7 +223,7 @@ sub buildrules foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ - if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";} + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} if ($$hash{$key}[17] eq 'ON'){ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } @@ -237,7 +243,7 @@ sub buildrules foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ - if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";} + if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} if ($$hash{$key}[17] eq 'ON'){ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); } diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index f772be335..a8e4b79d3 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -109,7 +109,7 @@ usr/local/bin/update-lang-cache #usr/local/src #usr/sbin usr/sbin/ovpn-ccd-convert -usr/sbin/firewall-forward-policy +usr/sbin/firewall-policy usr/sbin/convert-xtaccess usr/sbin/convert-outgoingfw #usr/share diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 386e02d3e..460a08c4c 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -105,8 +105,10 @@ my $ipgrp="${General::swroot}/outgoing/groups"; if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'save'}) { my $MODE = $fwdfwsettings{'POLICY'}; + my $MODE1 = $fwdfwsettings{'POLICY1'}; %fwdfwsettings = (); $fwdfwsettings{'POLICY'} = "$MODE"; + $fwdfwsettings{'POLICY1'} = "$MODE1"; &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); &reread_rules; } @@ -114,7 +116,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') { &General::readhasharray("$configfwdfw", \%configfwdfw); &General::readhasharray("$configinput", \%configinputfw); - &General::readhasharray("$configinput", \%configoutgoingfw); + &General::readhasharray("$configoutgoing", \%configoutgoingfw); $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} @@ -219,6 +221,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } #check Rulepos on new Rule if($fwdfwsettings{'rulepos'} > 0 && !$fwdfwsettings{'oldrulenumber'}){ + print"CHECK OUTGOING DOPPELTE REGEL
"; $fwdfwsettings{'oldrulenumber'}=$maxkey; foreach my $key (sort keys %configoutgoingfw){ if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" @@ -356,8 +359,29 @@ if ($fwdfwsettings{'ACTION'} eq $Lang::tr{'reset'}) &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); unless (-e "${General::swroot}/forward/config") { system("touch ${General::swroot}/forward/config"); } unless (-e "${General::swroot}/forward/input") { system("touch ${General::swroot}/forward/input"); } + my $MODE1=$fwdfwsettings{'POLICY1'}; %fwdfwsettings = (); $fwdfwsettings{'POLICY'}='MODE2'; + $fwdfwsettings{'POLICY1'}=$MODE1; + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); + &reread_rules; + +} +if ($fwdfwsettings{'ACTION'} eq 'resetoutgoing') +{ + &General::readhasharray("$configoutgoing", \%configoutgoingfw); + foreach my $key (sort keys %configoutgoingfw){ + &checkcounter($configoutgoingfw{$key}[3],$configoutgoingfw{$key}[4],,); + &checkcounter($configoutgoingfw{$key}[5],$configoutgoingfw{$key}[6],,); + &checkcounter($configoutgoingfw{$key}[14],$configoutgoingfw{$key}[15],,); + } + system("rm ${General::swroot}/forward/outgoing"); + &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); + unless (-e "${General::swroot}/forward/outgoing") { system("touch ${General::swroot}/forward/outgoing"); } + my $MODE=$fwdfwsettings{'POLICY'}; + %fwdfwsettings = (); + $fwdfwsettings{'POLICY'}=$MODE; + $fwdfwsettings{'POLICY1'}='MODE2'; &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings); &reread_rules; @@ -578,6 +602,8 @@ sub base { if ($fwdfwsettings{'POLICY'} eq 'MODE1'){ $selected{'POLICY'}{'MODE1'} = 'selected'; } else { $selected{'POLICY'}{'MODE1'} = ''; } if ($fwdfwsettings{'POLICY'} eq 'MODE2'){ $selected{'POLICY'}{'MODE2'} = 'selected'; } else { $selected{'POLICY'}{'MODE2'} = ''; } + if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){ $selected{'POLICY1'}{'MODE1'} = 'selected'; } else { $selected{'POLICY1'}{'MODE1'} = ''; } + if ($fwdfwsettings{'POLICY1'} eq 'MODE2'){ $selected{'POLICY1'}{'MODE2'} = 'selected'; } else { $selected{'POLICY1'}{'MODE2'} = ''; } &hint; &addrule; &p2pblock; @@ -585,8 +611,8 @@ sub base print < + -
FORWARD
$Lang::tr{'fwdfw pol text'}
"; + print"

"; + print < + + + + +
OUTGOING
$Lang::tr{'fwdfw pol text1'}
+ + +END + print "$Lang::tr{'outgoing firewall reset'}:
"; + print "
"; &Header::closebox(); } sub addrule @@ -1805,8 +1846,6 @@ sub viewtablerule { &viewtablenew(\%configfwdfw,$configfwdfw,$Lang::tr{'fwdfw rules'},"Forward" ); - &viewtablenew(\%configfwdfw,$configfwdfw,'',"DMZ" ); - &viewtablenew(\%configfwdfw,$configfwdfw,'',"WLAN" ); &viewtablenew(\%configinputfw,$configinput,"",$Lang::tr{'external access'} ); &viewtablenew(\%configoutgoingfw,$configoutgoing,"","Outgoing" ); } @@ -1818,23 +1857,7 @@ sub viewtablenew my $title1=shift; my $go=''; &General::readhasharray("$config", $hash); - #check if there are DMZ entries - if ($title1 eq 'DMZ'){ - foreach my $key (keys %$hash){ - if ($$hash{$key}[4] eq 'ORANGE'){$go='on';last} - } - }elsif($title1 eq 'WLAN'){ - foreach my $key (keys %$hash){ - if ($$hash{$key}[4] eq 'BLUE'){$go='on';last} - } - }elsif($title1 eq 'Forward'){ - foreach my $key (keys %$hash){ - if (($$hash{$key}[4] ne 'ORANGE' && $$hash{$key}[4] ne 'BLUE')){$go='on';last} - } - }elsif( ! -z $config){ - $go='on'; - } - if($go ne ''){ + if( ! -z $config){ &Header::openbox('100%', 'left',$title); my $count=0; my ($gif,$log); @@ -1844,13 +1867,9 @@ sub viewtablenew my @tmpsrc=(); my $coloryellow=''; print"$title1
"; - print""; + print"
"; print""; foreach my $key (sort {$a <=> $b} keys %$hash){ - #check if we have a FORWARDFW OR DMZ RULE - if ($title1 eq 'DMZ' && ($$hash{$key}[4] ne 'ORANGE')){next;} - if ($title1 eq 'WLAN' && ($$hash{$key}[4] ne 'BLUE')){next;} - if ($title1 eq 'Forward' && ($$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE')){next;} @tmpsrc=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index db4794c0c..f85c76214 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -31,6 +31,7 @@ $settings{'DISABLEPING'} = 'NO'; $settings{'DROPNEWNOTSYN'} = 'on'; $settings{'DROPINPUT'} = 'on'; $settings{'DROPFORWARD'} = 'on'; +$settings{'DROPOUTGOING'} = 'on'; $settings{'DROPPORTSCAN'} = 'on'; $settings{'DROPWIRELESSINPUT'} = 'on'; $settings{'DROPWIRELESSFORWARD'} = 'on'; @@ -72,6 +73,9 @@ $checked{'DROPINPUT'}{$settings{'DROPINPUT'}} = "checked='checked'"; $checked{'DROPFORWARD'}{'off'} = ''; $checked{'DROPFORWARD'}{'on'} = ''; $checked{'DROPFORWARD'}{$settings{'DROPFORWARD'}} = "checked='checked'"; +$checked{'DROPOUTGOING'}{'off'} = ''; +$checked{'DROPOUTGOING'}{'on'} = ''; +$checked{'DROPOUTGOING'}{$settings{'DROPOUTGOING'}} = "checked='checked'"; $checked{'DROPPORTSCAN'}{'off'} = ''; $checked{'DROPPORTSCAN'}{'on'} = ''; $checked{'DROPPORTSCAN'}{$settings{'DROPPORTSCAN'}} = "checked='checked'"; @@ -102,6 +106,8 @@ print < off + +
#$Lang::tr{'fwdfw source'}Log$Lang::tr{'fwdfw target'}$Lang::tr{'protocol'}$Lang::tr{'remark'}$Lang::tr{'fwdfw action'}
$Lang::tr{'drop forward'}on / off
$Lang::tr{'drop outgoing'}on / + off
$Lang::tr{'drop portscan'}on / off
$Lang::tr{'drop wirelessinput'}on / @@ -124,6 +130,10 @@ print <DROP
$Lang::tr{'drop action1'} +

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 141145eae..fd26cd322 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -746,10 +746,12 @@ 'download root certificate' => 'Root-Zertifikat herunterladen', 'dpd action' => 'Aktion für Dead Peer Detection', 'driver' => 'Treiber', -'drop action' => 'Standardverhalten der Firewall in Modus "Blocked"', +'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"', +'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"', 'drop input' => 'Verworfene Input Pakete loggen', 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', -'drop forward' => 'Verworfene Firewall-Pakete loggen', +'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen', +'drop outgoing' => 'Verworfene (Outgoing) Firewall-Pakete loggen', 'drop portscan' => 'Verworfene Portscan Pakete loggen', 'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind', 'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025', @@ -926,6 +928,7 @@ 'fwdfw pol block' => 'Blockiert', 'fwdfw pol title' => 'Standardverhalten der Firewall', 'fwdfw pol text' => 'Standardverhalten für Verbindungen aus den lokalen Netzwerken. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln. Außerdem werden hier der externe Zugang und der Zugriff auf die DMZ geregelt.', +'fwdfw pol text1' => 'Standardverhalten für Verbindungen von IPFire. Bei "Zugelassen" werden sämtliche Verbindungen zugelassen mit Ausnahme der in Forward konfigurierten Regeln. Mit "Blockiert" werden alle Verbindungsversuche blockiert, mit Ausnahme der in Forward erstellten Regeln.Achtung! Mit diesen Einstellungen kann man sich aussperren. Normalerweise ist keine Änderung nötig.', 'fwdfw reread' => 'Übernehmen', 'fwdfw rules' => 'Regeln', 'fwdfw rule action' => 'Regel Aktion:', @@ -1018,7 +1021,7 @@ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', 'fwhost port' => 'Port(s)', 'fwhost prot' => 'Protokoll', -'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden. Bitte Übernehmen klicken.', +'fwhost reread' => 'Die Firewallregeln müssen neu eingelesen werden.', 'fwhost reset' => 'Abbrechen', 'fwhost services' => 'Dienste', 'fwhost srv_name' => 'Dienstname', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 1d0c3e7cf..aea37679b 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -771,7 +771,8 @@ 'download root certificate' => 'Download root certificate', 'dpd action' => 'Dead Peer Detection action', 'driver' => 'Driver', -'drop action' => 'Default behaviour of firewall in mode "Blocked"', +'drop action' => 'Default behaviour of (forward) firewall in mode "Blocked"', +'drop action' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', 'drop input' => 'Log dropped input pakets', 'drop newnotsyn' => 'Log dropped new not syn pakets', 'drop forward' => 'Log dropped forward pakets', @@ -952,6 +953,7 @@ 'fwdfw pol block' => 'Blocked', 'fwdfw pol title' => 'Firewall default behavior', 'fwdfw pol text' => 'Default behavior for connections from local networks. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Also external access and connections to/from the demilitarized zone are configurable here.', +'fwdfw pol text1' => 'Default behavior for connections from IPFire. "Allowed" allows all connections from local networks except the defined rules. "Blocked" prohibits all connections except the defined ones. Attention! YOu can lock yourself out with these settings. Normally there is no need to change anything here.', 'fwdfw reread' => 'Apply', 'fwdfw rules' => 'Rules', 'fwdfw rule action' => 'Rule action:', @@ -1045,7 +1047,7 @@ 'fwhost ovpn_n2n' => 'OpenVPN N-2-N', 'fwhost port' => 'Port(s)', 'fwhost prot' => 'Protocol', -'fwhost reread' => 'Firewallrules need to be updated. Please click applybutton.', +'fwhost reread' => 'Firewallrules need to be updated.', 'fwhost reset' => 'Cancel', 'fwhost services' => 'Services', 'fwhost srv_name' => 'Servicename', diff --git a/lfs/configroot b/lfs/configroot index 88fa9f2f8..aa5d764df 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -105,7 +105,7 @@ $(TARGET) : cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl - cp $(DIR_SRC)/config/forwardfw/firewall-forward-policy /usr/sbin/firewall-forward-policy + cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices # Oneliner configfiles diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index ed7509ff2..7ec327417 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -153,6 +153,7 @@ case "$1" in /sbin/iptables -N OUTGOINGFW /sbin/iptables -N OUTGOINGFWMAC /sbin/iptables -A OUTPUT -j OUTGOINGFW + /sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -t nat -N CUSTOMPREROUTING /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING /sbin/iptables -t nat -N CUSTOMPOSTROUTING @@ -295,10 +296,13 @@ case "$1" in #/sbin/iptables -A FORWARD -j DROP -m comment --comment "DROP_FORWARD" #POLICY CHAIN - /sbin/iptables -N POLICY - /sbin/iptables -A FORWARD -j POLICY + /sbin/iptables -N POLICYFWD + /sbin/iptables -A FORWARD -j POLICYFWD + /sbin/iptables -N POLICYOUT + /sbin/iptables -A OUTPUT -j POLICYOUT - /usr/sbin/firewall-forward-policy + + /usr/sbin/firewall-policy ;; startovpn) # run openvpn