This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 13585cc922d6836d2a908ff4a9f0a7024b086876 (commit) via 5c3de120aabfaf150aa7303c4c3c92e3072da809 (commit) via a0a5c14f8525a2885e985b56d8ac360358b4c726 (commit) via 2513ae737d195c220aa82f08945c67ba6fdb6c1e (commit) via bb3834231ec78a2d7b0bc4201906467c47ea7aa4 (commit) via 60fb533157f92fdfe630fd8e76d2ca5f4644ad5d (commit) via 1db04adbef997af2fba8356ef14e31db252a5cc2 (commit) via 3e5e8a4a88727c3ab3871fa683b97beb0e307684 (commit) from d0ff84a67542250eac49661ff97dfaf1c6181b1c (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 13585cc922d6836d2a908ff4a9f0a7024b086876 Merge: 5c3de12 d0ff84a Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 1 16:59:32 2014 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 5c3de120aabfaf150aa7303c4c3c92e3072da809 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 1 16:51:03 2014 +0100
openvpnctrl: Allow ICMP error messages to pass the transfer net.
commit a0a5c14f8525a2885e985b56d8ac360358b4c726 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 1 16:44:05 2014 +0100
firewall: Make sure that only packets that go through the tunnel are passing OVPNBLOCK.
commit 2513ae737d195c220aa82f08945c67ba6fdb6c1e Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 1 16:04:01 2014 +0100
firewall: Allow access to the entire GREEN/BLUE/ORANGE subnets.
This includes the firewall itself as well.
commit bb3834231ec78a2d7b0bc4201906467c47ea7aa4 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 1 15:02:42 2014 +0100
firewall: Sort order in which chains are initialized.
This has been some real trouble because multiple rules could not be properly inserted into the rule chains in the kernel because the chains did not exist, yet.
commit 60fb533157f92fdfe630fd8e76d2ca5f4644ad5d Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 1 15:01:58 2014 +0100
firewall: rules.pl: Don't reload custom firewall rules here.
commit 1db04adbef997af2fba8356ef14e31db252a5cc2 Merge: 3e5e8a4 c6f9675 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 1 14:19:26 2014 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit 3e5e8a4a88727c3ab3871fa683b97beb0e307684 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 27 20:53:25 2014 +0100
firewall: Fix firewall policy table if only RED, GREEN + BLUE are present.
-----------------------------------------------------------------------
Summary of changes: config/firewall/firewall-policy | 12 ++++++++++++ config/firewall/rules.pl | 1 - html/cgi-bin/firewall.cgi | 8 +++++--- src/initscripts/init.d/firewall | 14 +++++++------- src/misc-progs/openvpnctrl.c | 7 ++++++- 5 files changed, 30 insertions(+), 12 deletions(-)
Difference in files: diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy index bd1e40d..faf177c 100755 --- a/config/firewall/firewall-policy +++ b/config/firewall/firewall-policy @@ -52,6 +52,8 @@ case "${CONFIG_TYPE}" in ;; esac
+HAVE_OPENVPN="true" + # INPUT case "${FWPOLICY2}" in REJECT) @@ -61,6 +63,16 @@ case "${FWPOLICY2}" in iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT" ;; *) # DROP + # OpenVPN + # Allow direct access to the internal IP addresses of the firewall + # from remote subnets if forward policy is allowed. + case "${HAVE_OPENVPN},${POLICY}" in + true,MODE1) ;; + true,*) + iptables -A POLICYIN -i tun+ -j ACCEPT + ;; + esac + if [ "${DROPINPUT}" = "on" ]; then iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT" fi diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 40ca824..845da1f 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -112,7 +112,6 @@ if($param eq 'flush'){ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){ &p2pblock; system ("/usr/sbin/firewall-policy"); - system ("/etc/sysconfig/firewall.local reload"); } } } diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index ce8d0f3..7b75765 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -2792,14 +2792,16 @@ END <font color="$Header::colourorange">$Lang::tr{'orange'}</font> ($Lang::tr{'fwdfw pol block'}) </td> +END + } + + print <<END; <td align='center'> <font color="$Header::colourgreen">$Lang::tr{'green'}</font> ($Lang::tr{'fwdfw pol block'}) </td> + </tr> END - } - - print"</tr>"; }
print <<END; diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 06a714a..dd67889 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -106,9 +106,10 @@ iptables_init() {
# Block OpenVPN transfer networks iptables -N OVPNBLOCK - for i in INPUT FORWARD; do - iptables -A ${i} -j OVPNBLOCK - done + iptables -A INPUT -i tun+ -j OVPNBLOCK + iptables -A OUTPUT -o tun+ -j OVPNBLOCK + iptables -A FORWARD -i tun+ -j OVPNBLOCK + iptables -A FORWARD -o tun+ -j OVPNBLOCK
# OpenVPN transfer network translation iptables -t nat -N OVPNNAT @@ -196,8 +197,6 @@ iptables_init() { iptables -t nat -N REDNAT iptables -t nat -A POSTROUTING -j REDNAT
- iptables_red - # Custom prerouting chains (for transparent proxy) iptables -t nat -N SQUID iptables -t nat -A PREROUTING -j SQUID @@ -226,10 +225,11 @@ iptables_init() { iptables -N POLICYOUT iptables -A OUTPUT -j POLICYOUT
+ # Initialize firewall policies. /usr/sbin/firewall-policy
- # read new firewall - /usr/local/bin/firewallctrl + # Install firewall rules for the red interface. + iptables_red }
iptables_red() { diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c index 272db0f..462ce77 100644 --- a/src/misc-progs/openvpnctrl.c +++ b/src/misc-progs/openvpnctrl.c @@ -365,6 +365,7 @@ ERROR: }
void setFirewallRules(void) { + char command[STRING_SIZE]; char protocol[STRING_SIZE] = ""; char dport[STRING_SIZE] = ""; char dovpnip[STRING_SIZE] = ""; @@ -405,11 +406,15 @@ void setFirewallRules(void) { if (!strcmp(enableorange, "on") && strlen(orangeif)) addRule(OVPNINPUT, orangeif, protocol, dport);
+ /* Allow ICMP error messages to pass. */ + snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -p icmp" + " -m conntrack --ctstate RELATED -j RETURN", OVPNBLOCK); + executeCommand(command); + // read connection configuration connection *conn = getConnections();
// set firewall rules for n2n connections - char command[STRING_SIZE]; char *local_subnet_address = NULL; char *transfer_subnet_address = NULL; while (conn != NULL) {
hooks/post-receive -- IPFire 2.x development tree