webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 02:55:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

outgoingfw: mode=1: Change policy ACCEPT -> RETURN.

Browse Source 
Because of the early acceptance of packets, that pass the outgoing
firewall, it was possible to circumvent the MAC address filter on
blue.
The RETURN target forces the packets to go on. Other packets,
that do not pass the outgoing firewall will be dropped immediately.
This commit is contained in:
Michael Tremer
2012-08-07 16:37:29 +02:00
parent c9e01c8cb8
commit 78a14abf81
2 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
config/outgoingfw/outgoingfw.pl
View File

@@ -91,10 +91,10 @@ close FILE;
if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
$outfwsettings{'STATE'} = "ALLOW";
$POLICY = "DROP";
$DO = "ACCEPT";
$DO = "RETURN";
} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
$outfwsettings{'STATE'} = "DENY";
$POLICY = "ACCEPT";
$POLICY = "RETURN";
$DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '";
}
@@ -112,13 +112,13 @@ if ( $outfwsettings{'POLICY'} eq 'MODE0' ) {
}
if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
$CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT";
$CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN";
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
$CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j ACCEPT";
$CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN";
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
$CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT";
$CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN";
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
$CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j ACCEPT";
$CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN";
if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); }
}
@@ -260,7 +260,7 @@ foreach $p2pentry (sort @p2ps)
$P2PSTRING = "$P2PSTRING --$p2pline[1]";
}
} else {
$DO = "ACCEPT";
$DO = "RETURN";
if ("$p2pline[2]" eq "on") {
$P2PSTRING = "$P2PSTRING --$p2pline[1]";
}
@@ -290,4 +290,4 @@ if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
} else {
system("$CMD");
}
}
}

1
config/rootfiles/core/62/filelists/files
View File

@@ -2,3 +2,4 @@ etc/system-release
etc/issue
srv/web/ipfire/cgi-bin/connections.cgi
usr/lib/gconv
var/ipfire/outgoing/bin/outgoingfw.pl