webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-05-09 16:58:26 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
fee04791f40ce7e4d7396fff53e5f2ed4fc5e99d
bpfire/config/firewall/firewall-policy
Michael Tremer c26a9ed25c firewall-policy: Clarify policy rules. 
There are no functional changes here. Everything that
is not explicitely allowed is now forbidden when the
forward policy is "ALLOWED".
2014-03-30 22:33:58 +02:00

164 lines
5.2 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings)
eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
function iptables() {
/sbin/iptables --wait "$@"
}
iptables -F POLICYFWD
iptables -F POLICYOUT
iptables -F POLICYIN
if [ -f "/var/ipfire/red/iface" ]; then
IFACE="$(</var/ipfire/red/iface)"
fi
# Figure out what devices are configured.
HAVE_BLUE="false"
HAVE_ORANGE="false"
case "${CONFIG_TYPE}" in
2)
HAVE_ORANGE="true"
;;
3)
HAVE_BLUE="true"
;;
4)
HAVE_BLUE="true"
HAVE_ORANGE="true"
;;
esac
HAVE_IPSEC="true"
HAVE_OPENVPN="true"
# INPUT
# IPsec INPUT
case "${HAVE_IPSEC},${POLICY}" in
true,MODE1) ;;
true,*)
iptables -A POLICYIN -m policy --pol ipsec --dir in -j ACCEPT
;;
esac
# OpenVPN INPUT
# Allow direct access to the internal IP addresses of the firewall
# from remote subnets if forward policy is allowed.
case "${HAVE_OPENVPN},${POLICY}" in
true,MODE1) ;;
true,*)
iptables -A POLICYIN -i tun+ -j ACCEPT
;;
esac
case "${FWPOLICY2}" in
REJECT)
if [ "${DROPINPUT}" = "on" ]; then
iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT "
fi
iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
;;
*) # DROP
if [ "${DROPINPUT}" = "on" ]; then
iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT "
fi
iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
;;
esac
# FORWARD
case "${POLICY}" in
MODE1)
case "${FWPOLICY}" in
REJECT)
if [ "${DROPFORWARD}" = "on" ]; then
iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD "
fi
iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
;;
*) # DROP
if [ "${DROPFORWARD}" = "on" ]; then
iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
fi
iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
;;
esac
;;
*)
# Access from GREEN is granted to everywhere
iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
# Grant access for IPsec VPN connections
iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT
# Grant access for OpenVPN connections
iptables -A POLICYFWD -i tun+ -j ACCEPT
if [ -n "${IFACE}" ]; then
if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
iptables -A POLICYFWD -i "${BLUE_DEV}" -s "${BLUE_NETADDRESS}/${BLUE_NETMASK}" -o "${IFACE}" -j ACCEPT
fi
if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
iptables -A POLICYFWD -i "${ORANGE_DEV}" -s "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" -o "${IFACE}" -j ACCEPT
fi
fi
if [ "${DROPFORWARD}" = "on" ]; then
iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD "
fi
iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
;;
esac
# OUTGOING
case "${POLICY1}" in
MODE1)
case "${FWPOLICY1}" in
REJECT)
if [ "${DROPOUTGOING}" = "on" ]; then
iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT "
fi
iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
;;
*) # DROP
if [ "${DROPOUTGOING}" == "on" ]; then
iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT "
fi
iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
;;
esac
;;
*)
iptables -A POLICYOUT -j ACCEPT
iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
;;
esac
exit 0
Reference in New Issue View Git Blame Copy Permalink