This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 0eba3dc448e17d49299781706ff1f44f51413f3f (commit) via 4b12aa414c0ae63e135d3ec36737152fff44f6d9 (commit) from 4616ecceced8208c695e697395f0b916d875fb91 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 0eba3dc448e17d49299781706ff1f44f51413f3f Author: Timo Eissler timo@eissler.pro Date: Thu Aug 7 20:11:22 2014 +0200
firewall: updated rootfiles
commit 4b12aa414c0ae63e135d3ec36737152fff44f6d9 Author: Timo Eissler timo@eissler.pro Date: Thu Aug 7 19:00:58 2014 +0200
firewall: fix faulty masquerading packets
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/armv5tel/initscripts | 4 +-- config/rootfiles/common/i586/initscripts | 4 +-- lfs/initscripts | 1 - src/initscripts/init.d/firewall | 31 +++++++++++++++++++--- .../init.d/networking/red.down/20-firewall | 3 +++ .../init.d/networking/red.up/20-firewall | 3 +++ 6 files changed, 37 insertions(+), 9 deletions(-) create mode 100644 src/initscripts/init.d/networking/red.down/20-firewall create mode 100644 src/initscripts/init.d/networking/red.up/20-firewall
Difference in files: diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 7657fe6..dfe2e48 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -73,13 +73,13 @@ etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq etc/rc.d/init.d/networking/red.down/10-ipsec etc/rc.d/init.d/networking/red.down/10-miniupnpd etc/rc.d/init.d/networking/red.down/10-ovpn -etc/rc.d/init.d/networking/red.down/20-RL-firewall +etc/rc.d/init.d/networking/red.down/20-firewall #etc/rc.d/init.d/networking/red.up etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast -etc/rc.d/init.d/networking/red.up/20-RL-firewall +etc/rc.d/init.d/networking/red.up/20-firewall etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos etc/rc.d/init.d/networking/red.up/27-RS-squid diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 458b966..622886f 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -75,13 +75,13 @@ etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq etc/rc.d/init.d/networking/red.down/10-ipsec etc/rc.d/init.d/networking/red.down/10-miniupnpd etc/rc.d/init.d/networking/red.down/10-ovpn -etc/rc.d/init.d/networking/red.down/20-RL-firewall +etc/rc.d/init.d/networking/red.down/20-firewall #etc/rc.d/init.d/networking/red.up etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast -etc/rc.d/init.d/networking/red.up/20-RL-firewall +etc/rc.d/init.d/networking/red.up/20-firewall etc/rc.d/init.d/networking/red.up/23-RS-snort etc/rc.d/init.d/networking/red.up/24-RS-qos etc/rc.d/init.d/networking/red.up/27-RS-squid diff --git a/lfs/initscripts b/lfs/initscripts index 02f9743..ab870dc 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -187,7 +187,6 @@ $(TARGET) : /etc/rc.d/init.d/networking/red.up/24-RS-qos ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq - ln -sf ../../firewall /etc/rc.d/init.d/networking/red.down/20-RL-firewall
for i in green blue orange; do \ ln -sf any /etc/rc.d/init.d/networking/$$i; \ diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index f77bc02..0d80e7c 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -277,10 +277,16 @@ iptables_init() { /usr/sbin/firewall-policy
# Install firewall rules for the red interface. - iptables_red + iptables_red_up + + # If red has not been brought up yet, we will + # add the blocking rules for MASQUERADE + if [ ! -e "/var/ipfire/red/active" ]; then + iptables_red_down + fi }
-iptables_red() { +iptables_red_up() { iptables -F REDINPUT iptables -F REDFORWARD iptables -t nat -F REDNAT @@ -358,6 +364,18 @@ iptables_red() { /usr/local/bin/firewallctrl }
+iptables_red_down() { + # Prohibit packets to reach the masquerading rule + # while the wan interface is down - this is required to + # circumvent udp related NAT issues + # http://forum.ipfire.org/index.php?topic=11127.0 + iptables -F REDFORWARD + iptables -A REDFORWARD -o $IFACE -j DROP + + # Reload all rules. + /usr/local/bin/firewallctrl +} + # See how we were called. case "$1" in start) @@ -388,9 +406,9 @@ case "$1" in /etc/sysconfig/firewall.local start fi ;; - reload) + reload|up) boot_mesg "Reloading firewall" - iptables_red + iptables_red_up evaluate_retval
# run local firewall configuration, if present @@ -398,6 +416,11 @@ case "$1" in /etc/sysconfig/firewall.local reload fi ;; + down) + boot_mesg "Disabling firewall access to RED" + iptables_red_down + evaluate_retval + ;; restart) # run local firewall configuration, if present if [ -x /etc/sysconfig/firewall.local ]; then diff --git a/src/initscripts/init.d/networking/red.down/20-firewall b/src/initscripts/init.d/networking/red.down/20-firewall new file mode 100644 index 0000000..d21c97c --- /dev/null +++ b/src/initscripts/init.d/networking/red.down/20-firewall @@ -0,0 +1,3 @@ +#!/bin/bash + +exec /etc/rc.d/init.d/firewall down diff --git a/src/initscripts/init.d/networking/red.up/20-firewall b/src/initscripts/init.d/networking/red.up/20-firewall new file mode 100644 index 0000000..ca52b4b --- /dev/null +++ b/src/initscripts/init.d/networking/red.up/20-firewall @@ -0,0 +1,3 @@ +#!/bin/bash + +exec /etc/rc.d/init.d/firewall up
hooks/post-receive -- IPFire 2.x development tree