Revision: 7746
http://sourceforge.net/p/astlinux/code/7746
Author: abelbeck
Date: 2016-07-09 16:14:30 +0000 (Sat, 09 Jul 2016)
Log Message:
-----------
arnofw, added: LAN to DMZ forwarding policy, new optional LAN_DMZ_ALLOW_IF variable
Ref: https://github.com/arno-iptables-firewall/aif/commit/fc00939ffe317610e52cd9fa4db573e3b0191d03
Added Paths:
-----------
branches/1.0/package/arnofw/arnofw-0005-add-LAN_DMZ_ALLOW_IF.patch
Added: branches/1.0/package/arnofw/arnofw-0005-add-LAN_DMZ_ALLOW_IF.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0005-add-LAN_DMZ_ALLOW_IF.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-0005-add-LAN_DMZ_ALLOW_IF.patch 2016-07-09 16:14:30 UTC (rev 7746)
@@ -0,0 +1,46 @@
+diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
+index 0cb5cba..d825c0b 100755
+--- a/bin/arno-iptables-firewall
++++ b/bin/arno-iptables-firewall
+@@ -4814,6 +4814,8 @@ setup_firewall_rules()
+ setup_dmz_inet_forward_chain;
+ setup_dmz_lan_forward_chain;
+
++ echo " Allowing LAN->DMZ for LAN interface(s): ${LAN_DMZ_ALLOW_IF:-$INT_IF}"
++
+ IFS=' ,'
+ for dif in $DMZ_IF; do
+ echo "Applying DMZ FORWARD policy to interface: $dif"
+@@ -4834,8 +4836,13 @@ setup_firewall_rules()
+ # Apply policy for DMZ->LAN
+ iptables -A FORWARD -i $dif -o $iif -j DMZ_LAN_FORWARD_CHAIN
+
+- # Apply policy for LAN->DMZ (allow all)
+- iptables -A FORWARD -i $iif -o $dif -j ACCEPT
++ # Apply policy for LAN->DMZ (allow all INT_IF when LAN_DMZ_ALLOW_IF is not defined)
++ for interface in ${LAN_DMZ_ALLOW_IF:-$INT_IF}; do
++ if [ "$iif" = "$interface" ]; then
++ iptables -A FORWARD -i $iif -o $dif -j ACCEPT
++ break
++ fi
++ done
+ done
+ done
+ fi
+diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
+index 83ef1dc..6d3bd19 100644
+--- a/etc/arno-iptables-firewall/firewall.conf
++++ b/etc/arno-iptables-firewall/firewall.conf
+@@ -125,6 +125,12 @@ DMZ_IF=""
+ # -----------------------------------------------------------------------------
+ DMZ_NET=""
+
++# Specify the LAN (INT_IF) interfaces that are allowed full access to the
++# DMZ interface(s). (LAN to DMZ forwarding policy)
++# If LAN_DMZ_ALLOW_IF is not defined, all the INT_IF interfaces will be allowed.
++# -----------------------------------------------------------------------------
++LAN_DMZ_ALLOW_IF=""
++
+ # Set this variable to 0 to disable antispoof checking for the dmz nets
+ # (EXPERT SETTING!)
+ # -----------------------------------------------------------------------------
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
