[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 13585cc922d6836d2a908ff4a9f0a7024b086876

[git@ipfire.org]

[-- Attachment #1: Type: text/plain, Size: 7600 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  13585cc922d6836d2a908ff4a9f0a7024b086876 (commit)
       via  5c3de120aabfaf150aa7303c4c3c92e3072da809 (commit)
       via  a0a5c14f8525a2885e985b56d8ac360358b4c726 (commit)
       via  2513ae737d195c220aa82f08945c67ba6fdb6c1e (commit)
       via  bb3834231ec78a2d7b0bc4201906467c47ea7aa4 (commit)
       via  60fb533157f92fdfe630fd8e76d2ca5f4644ad5d (commit)
       via  1db04adbef997af2fba8356ef14e31db252a5cc2 (commit)
       via  3e5e8a4a88727c3ab3871fa683b97beb0e307684 (commit)
      from  d0ff84a67542250eac49661ff97dfaf1c6181b1c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 13585cc922d6836d2a908ff4a9f0a7024b086876
Merge: 5c3de12 d0ff84a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Sat Mar 1 16:59:32 2014 +0100

    Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

commit 5c3de120aabfaf150aa7303c4c3c92e3072da809
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Sat Mar 1 16:51:03 2014 +0100

    openvpnctrl: Allow ICMP error messages to pass the transfer net.

commit a0a5c14f8525a2885e985b56d8ac360358b4c726
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Sat Mar 1 16:44:05 2014 +0100

    firewall: Make sure that only packets that go through the tunnel are passing OVPNBLOCK.

commit 2513ae737d195c220aa82f08945c67ba6fdb6c1e
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Sat Mar 1 16:04:01 2014 +0100

    firewall: Allow access to the entire GREEN/BLUE/ORANGE subnets.
    
    This includes the firewall itself as well.

commit bb3834231ec78a2d7b0bc4201906467c47ea7aa4
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Sat Mar 1 15:02:42 2014 +0100

    firewall: Sort order in which chains are initialized.
    
    This has been some real trouble because multiple rules could
    not be properly inserted into the rule chains in the kernel
    because the chains did not exist, yet.

commit 60fb533157f92fdfe630fd8e76d2ca5f4644ad5d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Sat Mar 1 15:01:58 2014 +0100

    firewall: rules.pl: Don't reload custom firewall rules here.

commit 1db04adbef997af2fba8356ef14e31db252a5cc2
Merge: 3e5e8a4 c6f9675
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Sat Mar 1 14:19:26 2014 +0100

    Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

commit 3e5e8a4a88727c3ab3871fa683b97beb0e307684
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Thu Feb 27 20:53:25 2014 +0100

    firewall: Fix firewall policy table if only RED, GREEN + BLUE are present.

-----------------------------------------------------------------------

Summary of changes:
 config/firewall/firewall-policy | 12 ++++++++++++
 config/firewall/rules.pl        |  1 -
 html/cgi-bin/firewall.cgi       |  8 +++++---
 src/initscripts/init.d/firewall | 14 +++++++-------
 src/misc-progs/openvpnctrl.c    |  7 ++++++-
 5 files changed, 30 insertions(+), 12 deletions(-)

Difference in files:
diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index bd1e40d..faf177c 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -52,6 +52,8 @@ case "${CONFIG_TYPE}" in
 		;;
 esac
 
+HAVE_OPENVPN="true"
+
 # INPUT
 case "${FWPOLICY2}" in
 	REJECT)
@@ -61,6 +63,16 @@ case "${FWPOLICY2}" in
 		iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
 		;;
 	*) # DROP
+		# OpenVPN
+		# Allow direct access to the internal IP addresses of the firewall
+		# from remote subnets if forward policy is allowed.
+		case "${HAVE_OPENVPN},${POLICY}" in
+			true,MODE1) ;;
+			true,*)
+				iptables -A POLICYIN -i tun+ -j ACCEPT
+				;;
+		esac
+
 		if [ "${DROPINPUT}" = "on" ]; then
 			iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
 		fi
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 40ca824..845da1f 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -112,7 +112,6 @@ if($param eq 'flush'){
 		}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
 			&p2pblock;
 			system ("/usr/sbin/firewall-policy");
-			system ("/etc/sysconfig/firewall.local reload");
 		}
 	}
 }
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index ce8d0f3..7b75765 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -2792,14 +2792,16 @@ END
 						<font color="$Header::colourorange">$Lang::tr{'orange'}</font>
 						($Lang::tr{'fwdfw pol block'})
 					</td>
+END
+			}
+
+			print <<END;
 					<td align='center'>
 						<font color="$Header::colourgreen">$Lang::tr{'green'}</font>
 						($Lang::tr{'fwdfw pol block'})
 					</td>
+				</tr>
 END
-			}
-
-			print"</tr>";
 		}
 
 		print <<END;
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 06a714a..dd67889 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -106,9 +106,10 @@ iptables_init() {
 
 	# Block OpenVPN transfer networks
 	iptables -N OVPNBLOCK
-	for i in INPUT FORWARD; do
-		iptables -A ${i} -j OVPNBLOCK
-	done
+	iptables -A INPUT   -i tun+ -j OVPNBLOCK
+	iptables -A OUTPUT  -o tun+ -j OVPNBLOCK
+	iptables -A FORWARD -i tun+ -j OVPNBLOCK
+	iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
 	# OpenVPN transfer network translation
 	iptables -t nat -N OVPNNAT
@@ -196,8 +197,6 @@ iptables_init() {
 	iptables -t nat -N REDNAT
 	iptables -t nat -A POSTROUTING -j REDNAT
 
-	iptables_red
-
 	# Custom prerouting chains (for transparent proxy)
 	iptables -t nat -N SQUID
 	iptables -t nat -A PREROUTING -j SQUID
@@ -226,10 +225,11 @@ iptables_init() {
 	iptables -N POLICYOUT
 	iptables -A OUTPUT -j POLICYOUT
 
+	# Initialize firewall policies.
 	/usr/sbin/firewall-policy
 
-	# read new firewall
-	/usr/local/bin/firewallctrl
+	# Install firewall rules for the red interface.
+	iptables_red
 }
 
 iptables_red() {
diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
index 272db0f..462ce77 100644
--- a/src/misc-progs/openvpnctrl.c
+++ b/src/misc-progs/openvpnctrl.c
@@ -365,6 +365,7 @@ ERROR:
 }
 
 void setFirewallRules(void) {
+	char command[STRING_SIZE];
 	char protocol[STRING_SIZE] = "";
 	char dport[STRING_SIZE] = "";
 	char dovpnip[STRING_SIZE] = "";
@@ -405,11 +406,15 @@ void setFirewallRules(void) {
 	if (!strcmp(enableorange, "on") && strlen(orangeif))
 		addRule(OVPNINPUT, orangeif, protocol, dport);
 
+	/* Allow ICMP error messages to pass. */
+	snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A %s -p icmp"
+		" -m conntrack --ctstate RELATED -j RETURN", OVPNBLOCK);
+	executeCommand(command);
+
 	// read connection configuration
 	connection *conn = getConnections();
 
 	// set firewall rules for n2n connections
-	char command[STRING_SIZE];
 	char *local_subnet_address = NULL;
 	char *transfer_subnet_address = NULL;
 	while (conn != NULL) {


hooks/post-receive
--
IPFire 2.x development tree