From 78a14abf81e61ea4fc62d313dfd6779cda9421ae Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 7 Aug 2012 16:37:29 +0200 Subject: [PATCH 1/2] outgoingfw: mode=1: Change policy ACCEPT -> RETURN. Because of the early acceptance of packets, that pass the outgoing firewall, it was possible to circumvent the MAC address filter on blue. The RETURN target forces the packets to go on. Other packets, that do not pass the outgoing firewall will be dropped immediately. --- config/outgoingfw/outgoingfw.pl | 16 ++++++++-------- config/rootfiles/core/62/filelists/files | 1 + 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl index 1d7dd93aa..c4813e9df 100644 --- a/config/outgoingfw/outgoingfw.pl +++ b/config/outgoingfw/outgoingfw.pl @@ -91,10 +91,10 @@ close FILE; if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { $outfwsettings{'STATE'} = "ALLOW"; $POLICY = "DROP"; - $DO = "ACCEPT"; + $DO = "RETURN"; } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { $outfwsettings{'STATE'} = "DENY"; - $POLICY = "ACCEPT"; + $POLICY = "RETURN"; $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '"; } @@ -112,13 +112,13 @@ if ( $outfwsettings{'POLICY'} eq 'MODE0' ) { } if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j ACCEPT"; + $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j ACCEPT"; + $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j ACCEPT"; + $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j ACCEPT"; + $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN"; if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } } @@ -260,7 +260,7 @@ foreach $p2pentry (sort @p2ps) $P2PSTRING = "$P2PSTRING --$p2pline[1]"; } } else { - $DO = "ACCEPT"; + $DO = "RETURN"; if ("$p2pline[2]" eq "on") { $P2PSTRING = "$P2PSTRING --$p2pline[1]"; } @@ -290,4 +290,4 @@ if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { } else { system("$CMD"); } -} \ No newline at end of file +} diff --git a/config/rootfiles/core/62/filelists/files b/config/rootfiles/core/62/filelists/files index 89987a1b6..731daa03c 100644 --- a/config/rootfiles/core/62/filelists/files +++ b/config/rootfiles/core/62/filelists/files @@ -2,3 +2,4 @@ etc/system-release etc/issue srv/web/ipfire/cgi-bin/connections.cgi usr/lib/gconv +var/ipfire/outgoing/bin/outgoingfw.pl From 4e2bce180421f90ab45ed71d00d2bbf902c407ee Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sun, 12 Aug 2012 20:45:21 +0200 Subject: [PATCH 2/2] outgoingfw: Remove unused variable in generator script. --- config/outgoingfw/outgoingfw.pl | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl index c4813e9df..8bb49e0bd 100644 --- a/config/outgoingfw/outgoingfw.pl +++ b/config/outgoingfw/outgoingfw.pl @@ -73,7 +73,6 @@ my $PROTO = ""; my $DPORT = ""; my $DEV = ""; my $MAC = ""; -my $POLICY = ""; my $DO = ""; my $DAY = ""; @@ -90,11 +89,9 @@ close FILE; if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { $outfwsettings{'STATE'} = "ALLOW"; - $POLICY = "DROP"; $DO = "RETURN"; } elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { $outfwsettings{'STATE'} = "DENY"; - $POLICY = "RETURN"; $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '"; }