This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via fded6faa72d581114e25ddb17bcc607625736fdc (commit)
via c0e0848f999ed8944ae551047fdea32bfee88d03 (commit)
via 8e59a6022bf7cb225c3509be2964833cce0e630c (commit)
via 763190af8e3272a1edd582e1e1736bfc8c0c1baa (commit)
from 9d707db06eef14a519ed1e5091a6d12f50b452d4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit fded6faa72d581114e25ddb17bcc607625736fdc
Merge: 9d707db c0e0848
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu May 22 23:11:43 2014 +0200
Merge remote-tracking branch 'ms/firewall-block-green' into next
commit c0e0848f999ed8944ae551047fdea32bfee88d03
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue May 20 11:41:23 2014 +0200
firewall: Allow blocking access to GREEN from GREEN.
commit 8e59a6022bf7cb225c3509be2964833cce0e630c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue May 20 11:27:24 2014 +0200
firewall: Rename GUIINPUT chain to ICMPINPUT.
The name of the chain does not really explain what it does.
commit 763190af8e3272a1edd582e1e1736bfc8c0c1baa
Merge: 30b1c1c 33df321
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue May 20 11:25:48 2014 +0200
Merge remote-tracking branch 'origin/master' into next
-----------------------------------------------------------------------
Summary of changes:
config/firewall/firewall-policy | 3 +++
src/initscripts/init.d/firewall | 13 ++++++++-----
2 files changed, 11 insertions(+), 5 deletions(-)
Difference in files:
diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 96b9b2f..4ba1ace 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -57,6 +57,9 @@ HAVE_OPENVPN="true"
# INPUT
+# Allow access from GREEN
+iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
+
# IPsec INPUT
case "${HAVE_IPSEC},${POLICY}" in
true,MODE1) ;;
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 8371781..7a18502 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -120,10 +120,10 @@ iptables_init() {
iptables -N IPTVFORWARD
iptables -A FORWARD -j IPTVFORWARD
- # filtering from GUI
- iptables -N GUIINPUT
- iptables -A INPUT -j GUIINPUT
- iptables -A GUIINPUT -p icmp --icmp-type 8 -j ACCEPT
+ # Allow to ping the firewall.
+ iptables -N ICMPINPUT
+ iptables -A INPUT -j ICMPINPUT
+ iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
# Accept everything on loopback
iptables -N LOOPBACK
@@ -179,7 +179,10 @@ iptables_init() {
iptables -t nat -A POSTROUTING -j IPSECNAT
# localhost and ethernet.
- iptables -A INPUT -i $GREEN_DEV -m conntrack --ctstate NEW -j ACCEPT ! -p icmp
+ # Always allow accessing the web GUI from GREEN.
+ iptables -N GUIINPUT
+ iptables -A INPUT -j GUIINPUT
+ iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
# WIRELESS chains
iptables -N WIRELESSINPUT
hooks/post-receive
--
IPFire 2.x development tree