webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 11:43:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

firewall: Fix MAC filter

Browse Source 
Packets destined for the firewall coming in from the blue
device where accepted too early to be processed by the
firewall input chain rules.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Michael Tremer
2016-02-05 10:24:03 +00:00
parent ff43197b01
commit 645378fbb9
2 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
config/firewall/firewall-policy
View File

@@ -60,6 +60,11 @@ HAVE_OPENVPN="true"
# Allow access from GREEN # Allow access from GREEN
iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
# Allow access from BLUE
if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
iptables -A POLICYIN -i "${BLUE_DEV}" -j ACCEPT
fi
# IPsec INPUT # IPsec INPUT
case "${HAVE_IPSEC},${POLICY}" in case "${HAVE_IPSEC},${POLICY}" in
true,MODE1) ;; true,MODE1) ;;

6
src/misc-progs/wirelessctrl.c
View File

@@ -126,21 +126,21 @@ int main(void) {
if (strcmp(enabled, "on") == 0) { if (strcmp(enabled, "on") == 0) {
/* both specified, added security */ /* both specified, added security */
if ((strlen(macaddress) == 17) && (VALID_IP_AND_MASK(ipaddress))) { if ((strlen(macaddress) == 17) && (VALID_IP_AND_MASK(ipaddress))) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev); snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
safe_system(command); safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev); snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
safe_system(command); safe_system(command);
} else { } else {
/* correctly formed mac address is 17 chars */ /* correctly formed mac address is 17 chars */
if (strlen(macaddress) == 17) { if (strlen(macaddress) == 17) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev); snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
safe_system(command); safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev); snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
safe_system(command); safe_system(command);
} }
if (VALID_IP_AND_MASK(ipaddress)) { if (VALID_IP_AND_MASK(ipaddress)) {
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev); snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -s %s -i %s -j RETURN", ipaddress, blue_dev);
safe_system(command); safe_system(command);
snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev); snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
safe_system(command); safe_system(command);