From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] apply default firewall policy for ORANGE, too
Date: Wed, 06 Feb 2019 21:00:00 +0000
Message-ID: <c1d0f015-db7a-cbc6-a003-206e4e16e541@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7112931261424990860=="
List-Id: <development.lists.ipfire.org>

--===============7112931261424990860==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

If firewall default policy is set to DROP, this setting was not
applied to outgoing ORANGE traffic as well, which was misleading.

Fixes #11973

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Cc: Oliver Fuhrer <oliver.fuhrer(a)bluewin.ch>
---
 src/initscripts/system/firewall | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 707209987..b9dd3485e 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -294,7 +294,7 @@ iptables_init() {
 	iptables -N OVPNINPUT
 	iptables -A INPUT -j OVPNINPUT
=20
-	# TOR
+	# Tor
 	iptables -N TOR_INPUT
 	iptables -A INPUT -j TOR_INPUT
 =09
@@ -414,15 +414,6 @@ iptables_red_up() {
 		iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $DEV=
ICE -j ACCEPT
 	fi
=20
-	# Orange pinholes
-	if [ "$ORANGE_DEV" !=3D "" ]; then
-		# This rule enables a host on ORANGE network to connect to the outside
-		# (only if we have a red connection)
-		if [ "$IFACE" !=3D "" ]; then
-			iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT
-		fi
-	fi
-
 	if [ "$IFACE" !=3D "" -a -f /var/ipfire/red/active ]; then
 		# DHCP
 		if [ "$RED_DEV" !=3D "" -a "$RED_TYPE" =3D=3D "DHCP" ]; then
@@ -470,7 +461,7 @@ iptables_red_up() {
=20
 iptables_red_down() {
 	# Prohibit packets to reach the masquerading rule
-	# while the wan interface is down - this is required to
+	# while the WAN interface is down - this is required to
 	# circumvent udp related NAT issues
 	# http://forum.ipfire.org/index.php?topic=3D11127.0
 	if [ -n "${IFACE}" ]; then
--=20
2.16.4

--===============7112931261424990860==--