webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-05-11 09:48:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

firewall: add firewall bridge mode

Browse Source 
add firewall bridge mode so it can be used as
layer 2 inline bridge for either DDoS protection
or firewall filter by iptable rules configured in
netfilter filter table forward chain.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This commit is contained in:
Vincent Li
2025-04-11 19:13:32 -07:00
parent cb5313ec87
commit 6eef7f8535
3 changed files with 28 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
config/firewall/firewall-policy
View File

@@ -122,6 +122,9 @@ case "${POLICY}" in
fi
iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
;;
ACCEPT) # ACCEPT for firewall bridge mode
iptables -A POLICYFWD -j ACCEPT -m comment --comment "ACCEPT_FORWARD"
;;
*) # DROP
if [ "${DROPFORWARD}" = "on" ]; then
iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
@@ -162,7 +165,15 @@ case "${POLICY}" in
if [ "${DROPFORWARD}" = "on" ]; then
iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
fi
iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
case "${FWPOLICY}" in
ACCEPT) # ACCEPT for firewall bridge mode
iptables -A POLICYFWD -j ACCEPT -m comment --comment "ACCEPT_FORWARD"
;;
*) # DROP
iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
;;
esac
;;
esac