[git.ipfire.org] IPFire 2.x development tree branch, master, updated. c926c6375d11cca11b24dee3b538da8ae6aaa1f2 - IPFire-SCM

5 Apr 2014

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
       via  c926c6375d11cca11b24dee3b538da8ae6aaa1f2 (commit)
      from  fee04791f40ce7e4d7396fff53e5f2ed4fc5e99d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c926c6375d11cca11b24dee3b538da8ae6aaa1f2
Author: Arne Fitzenreiter arne_f@ipfire.org
Date:   Sat Apr 5 11:04:25 2014 +0200
firewall: fix green only mode.
disable masquerade and green IP/NET check if internet is
    connected via green.
-----------------------------------------------------------------------
Summary of changes:
 config/firewall/firewall-policy | 9 ++++++++-
 src/initscripts/init.d/firewall | 5 ++++-
 2 files changed, 12 insertions(+), 2 deletions(-)
Difference in files:

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 2176d6b..16e98a5 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -110,8 +110,15 @@ case "${POLICY}" in
    	;;
*)
+
    	# Access from GREEN is granted to everywhere
-		iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+		if [ "${IFACE}" = "${GREEN_DEV}" ]; then
+			# internet via green
+			# don't check source IP/NET if IFACE is GREEN
+			iptables -A POLICYFWD -i "${GREEN_DEV}" -j ACCEPT
+		else
+			iptables -A POLICYFWD -i "${GREEN_DEV}" -s "${GREEN_NETADDRESS}/${GREEN_NETMASK}" -j ACCEPT
+		fi
# Grant access for IPsec VPN connections
    	iptables -A POLICYFWD -m policy --pol ipsec --dir in -j ACCEPT
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index a67af70..246be37 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -311,7 +311,10 @@ iptables_red() {
# Outgoing masquerading (don't masqerade IPSEC (mark 50))
    	iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
-		iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+
+		if [ "$IFACE" != "$GREEN_DEV" ]; then
+			iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
+		fi
fi
hooks/post-receive
--
IPFire 2.x development tree

    