[PATCH] firewall: Drop legacy rules for PPPoE/PPTP

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1560 bytes --]

These rules where created to permit any local traffic to the firewall
when using a PPP connection that utilised Ethernet as transport.

This is however nonsensical and a security issue for any other
connection methods that call the RED interface "red0" and use PPP (e.g.
QMI).

Since PPPoE packets do not flow through iptables, these rules can be
dropped safely. We do not know whether PPTP works at all these days.

Fixes: #13088 - firewall: INPUT accepts all packets when using QMI for dial-in
Tested-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Tested-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/firewall | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index dfa08d58b..50f2b3e02 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -424,19 +424,6 @@ iptables_red_up() {
 		fi
 	fi
 
-	# PPPoE / PPTP Device
-	if [ "$IFACE" != "" ]; then
-		# PPPoE / PPTP
-		if [ "$DEVICE" != "" ]; then
-			iptables -A REDINPUT -i $DEVICE -j ACCEPT
-		fi
-		if [ "$RED_TYPE" == "PPTP" -o "$RED_TYPE" == "PPPOE" ]; then
-			if [ "$RED_DEV" != "" ]; then
-				iptables -A REDINPUT -i $RED_DEV -j ACCEPT
-			fi
-		fi
-	fi
-
 	# PPTP over DHCP
 	if [ "$DEVICE" != "" -a "$TYPE" == "PPTP" -a "$METHOD" == "DHCP" ]; then
 		iptables -A REDINPUT -p tcp --source-port 67 --destination-port 68 -i $DEVICE -j ACCEPT
-- 
2.30.2