webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-05-03 00:32:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
9,030 Commits 2 Branches 1 Tag
0f5350608ed5790101caf94c19bf08a0a0c2118f
Commit Graph

118 Commits

Author SHA1 Message Date
Michael Tremer
0f5350608e firewall: Accept related ICMP packets again 
This rule is required to forward ICMP error messages for
aborted TCP connections and the like.
 2015-05-11 13:00:34 +02:00
Michael Tremer
a235f22952 firewall: Remove option to disable the SIP ALG 2015-04-22 18:13:56 +02:00
Michael Tremer
b1109b8af5 Enhance the security of the netfilter conntrack helpers 
This is suggested here
  https://home.regit.org/netfilter-en/secure-use-of-helpers/
and deprecated in the kernel (#10665).
 2015-04-22 18:10:59 +02:00
Stefan Schantl
cab02e2a5f Add "GEOIPBLOCK" chains to firewall initscript. 2015-01-04 00:57:23 +01:00
Arne Fitzenreiter
2a5b19c56f p2pblock: ipp2p must run before CONNTRACK. 
And can only used for blocking, not for accept conenections bacause connections must already established for detecting protocol types.
 2014-10-04 17:39:51 +02:00
Alexander Marx
ca4259a758 BUG10620: reload firewall.local in rules.pl, no longer in initscript 2014-09-11 17:13:07 +02:00
Michael Tremer
e7204c2d95 firewall: Fix initialization when RED has not been brought up yet 2014-08-21 16:12:43 +02:00
Timo Eissler
4b12aa414c firewall: fix faulty masquerading packets 2014-08-08 09:53:56 +02:00
Michael Tremer
908555842c Merge remote-tracking branch 'ms/firewall-no-nat' into next 
Conflicts:
	doc/language_issues.nl
	doc/language_issues.tr
 2014-08-07 14:50:42 +02:00
Michael Tremer
983d471f93 firewall-no-nat: Use network masks to identify the subnets. 
In the POSTROUTING chains of the NAT table, there is
no more information about on which interface the packet
has arrived (green0, etc.).
 2014-08-06 14:37:21 +02:00
Arne Fitzenreiter
f0728c790f Merge remote-tracking branch 'origin/master' into next 
Conflicts:
	config/cfgroot/general-functions.pl
 2014-07-29 22:01:19 +02:00
Arne Fitzenreiter
dccbf1bf4e firewall: add more pscan matches and filter INVALID conntrack packages. 2014-07-29 21:57:07 +02:00
Michael Tremer
5b861b0545 Revert "firewall: Filter logging of broadcasts from the internal networks." 
This reverts commit 63f2fb7fda.
 2014-07-26 21:23:55 +02:00
Michael Tremer
83ef9c40ef firewall: Allow to disable masquerading. 2014-07-18 17:15:29 +02:00
Michael Tremer
c0e0848f99 firewall: Allow blocking access to GREEN from GREEN. 2014-05-20 11:41:23 +02:00
Michael Tremer
8e59a6022b firewall: Rename GUIINPUT chain to ICMPINPUT. 
The name of the chain does not really explain what it does.
 2014-05-20 11:27:24 +02:00
Michael Tremer
8490e49618 firewall: Explicitely allow DHCP messages. 2014-04-17 12:31:27 +02:00
Michael Tremer
d22294fa7e firewall: Fix outgoing OpenVPN N2N tunnel packets. 
Don't throw away packets from the firewall that pass through
an OpenVPN N2N tunnel.
 2014-04-12 16:17:20 +02:00
Michael Tremer
99f11a16f6 firewall: Apply destination NAT rules for the firewall itself, too. 2014-04-09 14:16:32 +02:00
Arne Fitzenreiter
c926c6375d firewall: fix green only mode. 
disable masquerade and green IP/NET check if internet is
connected via green.
 2014-04-05 11:04:25 +02:00
Michael Tremer
63f2fb7fda firewall: Filter logging of broadcasts from the internal networks. 2014-03-05 14:09:56 +01:00
Michael Tremer
6e87f0aa53 firewall: Allow accessing port forwardings from internal networks. 2014-03-02 20:37:44 +01:00
Michael Tremer
a0a5c14f85 firewall: Make sure that only packets that go through the tunnel are passing OVPNBLOCK. 2014-03-01 16:44:05 +01:00
Michael Tremer
bb3834231e firewall: Sort order in which chains are initialized. 
This has been some real trouble because multiple rules could
not be properly inserted into the rule chains in the kernel
because the chains did not exist, yet.
 2014-03-01 15:02:42 +01:00
Michael Tremer
55a5bcae74 firewall: Call firewallctrl with full path. 2014-02-26 20:03:32 +01:00
Michael Tremer
66f6b279b0 Reload all firewall rules when /etc/init.d/firewall reload is executed. 2014-02-25 12:23:09 +01:00
Michael Tremer
c2f7250b23 firewall: Remove even more redundant rules. 2014-02-21 11:35:05 +01:00
Michael Tremer
29201ca84b firewall: Remove redundant rule. 2014-02-20 13:01:36 +01:00
Michael Tremer
0f5c5ce72d firewall: Load init script functions. 2014-02-14 16:10:21 +01:00
Michael Tremer
cdb725da87 firewall: Load conntrack modules in firewall script. 2014-02-14 12:54:08 +01:00
Michael Tremer
7d7740a467 firewall: Initialize basic ruleset before entering runlevel 3. 2014-02-14 12:48:11 +01:00
Michael Tremer
159c55c5c8 firewall: Call firewall.local start at the very end. 2014-02-14 12:40:11 +01:00
Michael Tremer
c581b670ef firewall: Use --wait for every iptables call. 2014-02-14 12:35:40 +01:00
Alexander Marx
c0f99754df Firewall: now it is possible to connect from one ipfire to a green network of another openvpn connected ipfire 
Please take care to put this into the docu! One can create DROP rules if
the remote ipfire should NOT be able to connect to the others internal
networks. Therefor you have to take the green interface IP as SOURCE!
 2013-12-23 11:05:04 +01:00
Alexander Marx
fac3861429 Firewall: Bugfix: in /etc/init.d/firewall the REDNAT chain was affected BEFORE NAT_SOURCE. Outgoing SNAT rules where not working though 2013-12-16 12:29:02 +01:00
Michael Tremer
ab4876ad42 firewall: Don't require to enable the RW server for N2N networks. 
The firewall rules for OpenVPN have not been applied for N2N
connections when the road warrior server was disabled.
 2013-11-08 13:38:09 +01:00
Alexander Marx
8039a71099 Firewall: renamed forwardfwctrl to firewallctrl 2013-10-24 09:42:42 +02:00
Michael Tremer
987b75bcd4 firewall: Add TOR chains. 2013-08-09 14:49:35 +02:00
Alexander Marx
e1efb8199d Forward Firewall: deleted postrouting block in firewall (not used anywhere) 2013-08-09 14:15:33 +02:00
Michael Tremer
bb12dd7b69 iptables: Cleanup creating SNAT/DNAT chains. 2013-08-09 14:15:33 +02:00
Michael Tremer
47cd046aed iptables: Remove OPENSSL{PHYSICAL,VIRTUAL} chains which are unused. 2013-08-09 14:15:33 +02:00
Michael Tremer
d5f1422d81 iptables: Jump into the firewall rulesets after everything else has been done. 2013-08-09 14:15:33 +02:00
Michael Tremer
51ab1de143 iptables: Create OVPNNAT chain after CUSTOM* chains. 2013-08-09 14:15:32 +02:00
Michael Tremer
815eaff433 iptables: Create guardian's chains after the CUSTOM* chains. 2013-08-09 14:15:32 +02:00
Michael Tremer
1e55533052 iptables: Cleanup creating the OVPNBLOCK chain. 
This should happen after the CUSTOM* chains.
 2013-08-09 14:15:32 +02:00
Michael Tremer
3b9a23ce07 iptables: Block all loopback packets on non-loopback interfaces. 2013-08-09 14:15:32 +02:00
Michael Tremer
afc611d448 iptables: Create LOOPBACK chain. 
This chain accepts all communication on the loopback
interface without running it through the entire connection
tracking first.

Packets on lo can never be blocked and must always be
accepted. The firewall has to trust itself anyway.
 2013-08-09 14:15:32 +02:00
Michael Tremer
c0359d6dfb iptables: Only jump into BADTCP for TCP packets. 
This saves us from evaluating lots of rules for non-TCP
packets.
 2013-08-09 14:15:32 +02:00
Michael Tremer
b85d2a9819 iptables: Replace state module by conntrack module. 
The state module is deprecated in recent releases of iptables
and should not be used any more.

Additionally, this patch adds an extra chain for all
connection tracking rules, so we can keep the entire ruleset
more small and clean.
 2013-08-09 14:15:32 +02:00
Alexander Marx
c12392c0ef Forward Firewall: removed NAT table and txt file. 2013-08-09 14:15:29 +02:00