On Sat, 2012-10-13 at 19:54 +0200, Alexander Marx wrote:
> Am 13.10.2012 19:18, schrieb Michael Tremer:
> >> I already tried to play with the OVPNFORWARD Chain but had no luck.
> > You should use CUSTOMFORWARD/CUSTOMINPUT for those rules.
> ok. But why are there the chains OVPNINPUT and OVPNFORWARD?!
> As far as i understand right now, these chains should be DROP ore 
> flushed, when Firewall is in mode 1, right?
> And to think a bit further, when someone begins to develop an addon or 
> core function to create rules
> for CUSTOMFORWARD with a webgui, is this sufficient for creating a 
> INCOMING Firewall?! (I know its FORWARD-Chain)
> But i hope you understand what i mean.

Those chains have been introduced with the OpenVPN addon.
It was intended to build in-tunnel filtering, but that has never been
implemented.

If you would like to implement filtering for VPN tunnels, please use
those chains. Don't put anything into CUSTOM* because these are for
rules that are manually created by the user.

OVPNINPUT and OVPNFORWARD work in exactly the same way. Same for
IPSECINPUT and IPSECFORWARD.

> >> It would be great if one can say:
> >> Hey, VPN1 is only allowed to connect to my internal servers 192.168.0.2
> >> and 192.168.0.3 via RDP (3389)
> >> ans that via gui
> > You can use the outgoing firewall to limit some sorts of traffic, but
> > you cannot block incoming packets with it.
> >
> >> I already developed addons for ipcop, but ipfire seems complete different...
> > No, the web UI is pretty much the same (crap). The firewall scripts do
> > not differ too much, either.

> Well the way ipfire is compiled and the way addons are created is much 
> more complicated at a first sight.

Indeed, there is a detailed guide how to start on our wiki.
http://wiki.ipfire.org/en/development/build

> If i would understand how to add changes to the ipfire, maybe i would 
> begin to develop some sort of
> gui for creating some firewall-rules.
> I think it is not so difficult, because it just takes a textfile for the 
> rules, and a table in webinterface where the rule positions can be 
> changed and created. And a funvtion, that reads the rules on every reboot.
> 
> Do you agree so far?!!

Yes, that's the way.

Maybe it is a good idea to integrate that as native as possible into the
WUI, because there already too many possibilities how to add firewall
rules (portfw, xtaccess, outgoing firewall,...).

Michael