firewall: Drop legacy rules for PPPoE/PPTP

These rules where created to permit any local traffic to the firewall when using a PPP connection that utilised Ethernet as transport. This is however nonsensical and a security issue for any other connection methods that call the RED interface "red0" and use PPP (e.g. QMI). Since PPPoE packets do not flow through iptables, these rules can be dropped safely. We do not know whether PPTP works at all these days. Fixes: #13088 - firewall: INPUT accepts all packets when using QMI for dial-in Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Tested-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2023-04-21 12:23:00 +00:00
parent ef59185bf3
commit aac0baea15
1 changed files with 0 additions and 13 deletions
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -424,19 +424,6 @@ iptables_red_up() {
 		fi
 	fi

-	# PPPoE / PPTP Device
-	if [ "$IFACE" != "" ]; then
-		# PPPoE / PPTP
-		if [ "$DEVICE" != "" ]; then
-			iptables -A REDINPUT -i $DEVICE -j ACCEPT
-		fi
-		if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then
-			if [ "$RED_DEV" != "" ]; then
-				iptables -A REDINPUT -i $RED_DEV -j ACCEPT
-			fi
-		fi
-	fi
-
 	# PPTP over DHCP
 	if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then
 		iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT