firewall: Add auxiliary rules for firewall access.

Rules for accessing the firewall are added when access to networks (GREEN, BLUE, ...) the firewall resides in is allowed.
2026-04-14 13:02:58 +02:00 · 2014-03-10 19:40:20 +01:00
parent cbb88df154
commit e9b5ba4179
1 changed files with 36 additions and 0 deletions
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -278,6 +278,11 @@ sub buildrules {
 					# Add time constraint options.
 					push(@options, @time_options);

+					my $firewall_is_in_source_subnet = 0;
+					if ($source) {
+						$firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
+					}
+
 					# Process NAT rules.
 					if ($NAT) {
 						my $nat_address = &get_nat_address($$hash{$key}[29]);
@@ -326,6 +331,14 @@ sub buildrules {
 					}

 					push(@options, @source_options);
+
+					if ($firewall_is_in_source_subnet && ($fwdfwsettings{"POLICY"} eq "MODE1") && ($chain eq $CHAIN_FORWARD)) {
+						if ($LOG && !$NAT) {
+							run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
+						}
+						run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
+					}
+
 					push(@options, @destination_options);

 					# Insert firewall rule.
@@ -781,3 +794,26 @@ sub make_log_limit_options {

 	return @options;
 }
+
+sub firewall_is_in_subnet {
+	my $subnet = shift;
+
+	my ($net_address, $net_mask) = split("/", $subnet);
+	if (!$net_mask) {
+		return 0;
+	}
+
+	# ORANGE is missing here, because nothing may ever access
+	# the firewall from this network.
+	foreach my $zone ("GREEN", "BLUE") {
+		next unless (exists $defaultNetworks{$zone . "_ADDRESS"});
+
+		my $zone_address = $defaultNetworks{$zone . "_ADDRESS"};
+
+		if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) {
+			return 1;
+		}
+	}
+
+	return 0;
+}