Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux:[7753] branches/1.0/package/arnofw
|
From: <abe...@us...> - 2016-07-13 19:31:58
|
Revision: 7753
http://sourceforge.net/p/astlinux/code/7753
Author: abelbeck
Date: 2016-07-13 19:31:55 +0000 (Wed, 13 Jul 2016)
Log Message:
-----------
arnofw, version bump to 2.0.1g-RC1, remove all our patches
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
Removed Paths:
-------------
branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch
branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch
branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch
branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
branches/1.0/package/arnofw/arnofw-0005-add-LAN_DMZ_ALLOW_IF.patch
Deleted: branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch 2016-07-12 17:02:11 UTC (rev 7752)
+++ branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch 2016-07-13 19:31:55 UTC (rev 7753)
@@ -1,11 +0,0 @@
---- arno-iptables-firewall_2.0.1f/bin/arno-iptables-firewall.orig 2015-10-30 15:52:23.000000000 -0500
-+++ arno-iptables-firewall_2.0.1f/bin/arno-iptables-firewall 2015-10-30 16:00:37.000000000 -0500
-@@ -495,7 +495,7 @@
- sysctl_set_all "net.ipv6.conf" "forwarding" 1
- echo " Disabling Local IPv6 Auto-Configuration"
- sysctl_set_all "net.ipv6.conf" "autoconf" 0
-- sysctl_set_all "net.ipv6.conf" "accept_ra" 0
-+ ## Setting accept_ra=0 is not needed with forwarding=1, don't overwrite any existing accept_ra=2 values
- fi
- elif [ "$IP_FORWARDING" = "0" ]; then
- echo " DISABLING packet forwarding"
Deleted: branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch 2016-07-12 17:02:11 UTC (rev 7752)
+++ branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch 2016-07-13 19:31:55 UTC (rev 7753)
@@ -1,75 +0,0 @@
-From 7bd64927a401050769b7da18fd2ae52370cc2390 Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Sat, 13 Feb 2016 16:16:16 -0600
-Subject: [PATCH] changed: added support for ICMPv6 Multicast Listener
- Discovery, disabled by default with OPEN_ICMPV6_MLD=0. Additionally make sure
- all un-needed ICMPv6 packets are dropped so they don't appear as annoying
- logs, more common with native IPv6 support by ISP's. Thanks to David Kerr for
- pointing out the issue and testing a solution.
-
----
- bin/arno-iptables-firewall | 10 ++++++++++
- etc/arno-iptables-firewall/firewall.conf | 6 ++++++
- share/arno-iptables-firewall/environment | 4 ++++
- 3 files changed, 20 insertions(+)
-
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index f5095a5..b02a85f 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -4574,6 +4574,11 @@ setup_firewall_rules()
- for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do
- ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT
- done
-+ if [ "$OPEN_ICMPV6_MLD" = "1" ]; then
-+ for icmpv6_type in $ICMPV6_MLD_TYPES; do
-+ ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
-+ done
-+ fi
- fi
-
- # Apply external (internet) interface policy for the input chain:
-@@ -4592,6 +4597,11 @@ setup_firewall_rules()
-
- # ICMP traffic (flood)
- iptables -A INPUT -i $interface -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
-+
-+ # Drop any remaining ICMPv6 traffic
-+ if [ "$IPV6_SUPPORT" = "1" ]; then
-+ ip6tables -A INPUT -i $interface -p icmpv6 -j POST_INPUT_DROP_CHAIN
-+ fi
- done
-
-
-diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
-index 9e80e20..2291916 100644
---- a/etc/arno-iptables-firewall/firewall.conf
-+++ b/etc/arno-iptables-firewall/firewall.conf
-@@ -1158,6 +1158,12 @@ OPEN_ICMP=0
- # -----------------------------------------------------------------------------
- OPEN_ICMPV6=1
-
-+# Enable (1) to make the default policy allow IPv6 ICMPv6
-+# Multicast Listener Discovery (RFC 2710, 3810) for INET access
-+# Note: Requires setting OPEN_ICMPV6=1 to apply.
-+# -----------------------------------------------------------------------------
-+OPEN_ICMPV6_MLD=0
-+
- # Put in the following variables which ports or IP protocols you want to leave
- # open to the whole world.
- # -----------------------------------------------------------------------------
-diff --git a/share/arno-iptables-firewall/environment b/share/arno-iptables-firewall/environment
-index 5728e4c..616c29c 100644
---- a/share/arno-iptables-firewall/environment
-+++ b/share/arno-iptables-firewall/environment
-@@ -1698,6 +1698,10 @@ fi
- ######################################################################
- ICMPV6_SPECIAL_TYPES="133 134 135 136"
-
-+# IPv6 ICMPv6 Multicast Listener Discovery (RFC 2710, 3810)
-+######################################################################
-+ICMPV6_MLD_TYPES="130 131 132 143"
-+
- # Check plugin bin path and fallback in case it's empty
- #######################################################
- if [ -z "$PLUGIN_BIN_PATH" ]; then
Deleted: branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch 2016-07-12 17:02:11 UTC (rev 7752)
+++ branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch 2016-07-13 19:31:55 UTC (rev 7753)
@@ -1,186 +0,0 @@
-From ade2e3fd17771b861f97dd3adb5307e4da16dc4e Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Sat, 9 Jan 2016 10:04:46 -0600
-Subject: [PATCH] added: PPTP VPN Passthrough plugin, Issue #27
-
----
- .../plugins/pptp-vpn-passthrough.conf | 14 +++
- .../plugins/50pptp-vpn-passthrough.plugin | 135 +++++++++++++++++++++
- .../plugins/pptp-vpn-passthrough.CHANGELOG | 4 +
- 3 files changed, 153 insertions(+)
- create mode 100644 etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
- create mode 100644 share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
- create mode 100644 share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
-
-diff --git a/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
-new file mode 100644
-index 0000000..250bc0d
---- /dev/null
-+++ b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
-@@ -0,0 +1,14 @@
-+# ------------------------------------------------------------------------------
-+# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
-+# ------------------------------------------------------------------------------
-+
-+# To actually enable this plugin make ENABLED=1:
-+# ------------------------------------------------------------------------------
-+ENABLED=0
-+
-+# PPTP uses the GRE protocol for transport, as such, when PPTP VPN clients
-+# have NAT between them and the PPTP VPN server special packet handling must be performed.
-+# This plugin loads the required Linux Kernel modules to handle that situation.
-+#
-+# No configuration options
-+# ------------------------------------------------------------------------------
-diff --git a/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
-new file mode 100644
-index 0000000..379a1dd
---- /dev/null
-+++ b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
-@@ -0,0 +1,135 @@
-+# ------------------------------------------------------------------------------
-+# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
-+#
-+PLUGIN_NAME="PPTP VPN Passthrough plugin"
-+PLUGIN_VERSION="1.00"
-+PLUGIN_CONF_FILE="pptp-vpn-passthrough.conf"
-+#
-+# Last changed : January 9, 2016
-+# Requirements : AIF 2.0.0+ and ip_nat_pptp
-+# Comments : This plugin loads the required kernel modules for PPTP VPN Clients
-+# to access remote PPTP VPN Server(s) when NAT is enabled.
-+#
-+# Author : (C) Copyright 2016 by Lonnie Abelbeck & Arno van Amersfoort
-+# Homepage : http://rocky.eld.leidenuniv.nl/
-+# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
-+# (note: you must remove all spaces and substitute the @ and the .
-+# at the proper locations!)
-+# ------------------------------------------------------------------------------
-+# This program is free software; you can redistribute it and/or
-+# modify it under the terms of the GNU General Public License
-+# version 2 as published by the Free Software Foundation.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program; if not, write to the Free Software
-+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-+# ------------------------------------------------------------------------------
-+
-+# Plugin start function
-+plugin_start()
-+{
-+
-+ if [ "$NAT" = "1" ]; then
-+ echo "${INDENT}Enable PPTP NAT helper module"
-+ modprobe_multi nf_nat_pptp ip_nat_pptp
-+ else
-+ echo "${INDENT}ERROR: NAT is not enabled, this plugin will be ignored."
-+ fi
-+
-+ return 0
-+}
-+
-+
-+# Plugin restart function
-+plugin_restart()
-+{
-+
-+ # Skip plugin_stop on a restart
-+ plugin_start
-+
-+ return 0
-+}
-+
-+
-+# Plugin stop function
-+plugin_stop()
-+{
-+
-+ if [ "$NAT" = "1" ]; then
-+ if [ -e /proc/modules -a -x "$MODPROBE" ]; then
-+ if ! $MODPROBE -r nf_nat_pptp >/dev/null 2>&1; then
-+ $MODPROBE -r ip_nat_pptp >/dev/null 2>&1
-+ fi
-+ if [ $? -eq 0 ]; then
-+ echo "${INDENT}Disabled PPTP NAT helper module"
-+ fi
-+ fi
-+ fi
-+
-+ return 0
-+}
-+
-+
-+# Plugin status function
-+plugin_status()
-+{
-+ return 0
-+}
-+
-+
-+# Check sanity of eg. environment
-+plugin_sanity_check()
-+{
-+ return 0
-+}
-+
-+
-+############
-+# Mainline #
-+############
-+
-+# Check where to find the config file
-+CONF_FILE=""
-+if [ -n "$PLUGIN_CONF_PATH" ]; then
-+ CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
-+fi
-+
-+# Preinit to success:
-+PLUGIN_RET_VAL=0
-+
-+# Check if the config file exists
-+if [ ! -e "$CONF_FILE" ]; then
-+ printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
-+else
-+ # Source the plugin config file
-+ . "$CONF_FILE"
-+
-+ if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
-+ [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
-+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
-+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
-+ # Show who we are:
-+ echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
-+
-+ # Increment indention
-+ INDENT="$INDENT "
-+
-+ # Only proceed if environment ok
-+ if ! plugin_sanity_check; then
-+ PLUGIN_RET_VAL=1
-+ else
-+ case $PLUGIN_CMD in
-+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
-+ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
-+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
-+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
-+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
-+ esac
-+ fi
-+ fi
-+fi
-diff --git a/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
-new file mode 100644
-index 0000000..042b789
---- /dev/null
-+++ b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
-@@ -0,0 +1,4 @@
-+Version 1.00 (January 9, 2016)
-+-----------------------------------
-++ Initial version
-+
-
Deleted: branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch 2016-07-12 17:02:11 UTC (rev 7752)
+++ branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch 2016-07-13 19:31:55 UTC (rev 7753)
@@ -1,253 +0,0 @@
-diff --git a/README b/README
-index 093151a..802ce61 100644
---- a/README
-+++ b/README
-@@ -480,6 +480,7 @@ INT_FORWARD_IN_CHAIN - Internal-net FORWARD chain for INcoming traffic
- INT_FORWARD_OUT_CHAIN - Internal-net FORWARD chain for OUTcoming traffic
- INT_INPUT_CHAIN - Internal-net INPUT chain
- INT_OUTPUT_CHAIN - Internal-net OUTPUT chain
-+LAN_LAN_FORWARD_CHAIN - LAN to LAN (Inter-LAN) forward chain (AIF private use only)
- LAN_INET_FORWARD_CHAIN - LAN to internet (external net) forward chain
- POST_INPUT_CHAIN - This chain is always processed last(post) in the
- INPUT chain
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index b02a85f..beee62d 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -2263,6 +2263,79 @@ setup_int_input_chain()
- }
-
-
-+##################################################
-+# Setup chain for the LAN-to-LAN forward traffic #
-+##################################################
-+setup_lan_lan_forward_chain()
-+{
-+ local rtn_val=1
-+
-+ echo " Setting up LAN->LAN policy"
-+
-+ # TCP ports to ALLOW for certain Inter-LAN hosts
-+ ################################################
-+ unset IFS
-+ for rule in $LAN_LAN_HOST_OPEN_TCP; do
-+ if parse_rule "$rule" LAN_LAN_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
-+
-+ echo " Allowing $shosts(LAN) to $dhosts(LAN) for TCP port(s): $ports"
-+
-+ IFS=','
-+ for shost in `ip_range "$shosts"`; do
-+ for dhost in `ip_range "$dhosts"`; do
-+ for port in $ports; do
-+ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
-+ rtn_val=0
-+ done
-+ done
-+ done
-+ fi
-+ done
-+
-+ # UDP ports to ALLOW for certain Inter-LAN hosts
-+ ################################################
-+ unset IFS
-+ for rule in $LAN_LAN_HOST_OPEN_UDP; do
-+ if parse_rule "$rule" LAN_LAN_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
-+
-+ echo " Allowing $shosts(LAN) to $dhosts(LAN) for UDP port(s): $ports"
-+
-+ IFS=','
-+ for shost in `ip_range "$shosts"`; do
-+ for dhost in `ip_range "$dhosts"`; do
-+ for port in $ports; do
-+ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT
-+ rtn_val=0
-+ done
-+ done
-+ done
-+ fi
-+ done
-+
-+ # IP protocol(s) to ALLOW for certain Inter-LAN hosts
-+ #####################################################
-+ unset IFS
-+ for rule in $LAN_LAN_HOST_OPEN_IP; do
-+ if parse_rule "$rule" LAN_LAN_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then
-+
-+ echo " Allowing $shosts(LAN) to $dhosts(LAN) for IP protocol(s): $protos"
-+
-+ IFS=','
-+ for shost in `ip_range "$shosts"`; do
-+ for dhost in `ip_range "$dhosts"`; do
-+ for proto in $protos; do
-+ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT
-+ rtn_val=0
-+ done
-+ done
-+ done
-+ fi
-+ done
-+
-+ return $rtn_val
-+}
-+
-+
- ###################################################
- # Setup chain for the LAN-to-INET forward traffic #
- ###################################################
-@@ -4803,7 +4876,10 @@ setup_firewall_rules()
- echo " Logging of denied LAN->INET FORWARD connections disabled"
- fi
-
-- # Setup helper chain for the LAN:
-+ # Setup helper chains for the LAN:
-+ setup_lan_lan_forward_chain;
-+ lan_lan_forward_result=$?
-+
- setup_lan_inet_forward_chain;
-
- IFS=' ,'
-@@ -4813,10 +4889,20 @@ setup_firewall_rules()
- # Always make subnets on the SAME interface trust each other
- iptables -A FORWARD -i $iif -o $iif -j ACCEPT
-
-+ # Optimize by only adding to FORWARD if LAN_LAN_FORWARD_CHAIN contains rules
-+ if [ $lan_lan_forward_result -eq 0 ]; then
-+ for output_if in $INT_IF; do
-+ if [ "$iif" != "$output_if" ]; then
-+ iptables -A FORWARD -i $iif -o $output_if -j LAN_LAN_FORWARD_CHAIN
-+ fi
-+ done
-+ fi
-+
- for eif in $EXT_IF; do
- iptables -A FORWARD -i $iif -o $eif -j LAN_INET_FORWARD_CHAIN
- done
- done
-+ unset lan_lan_forward_result
- fi
-
-
-@@ -5035,6 +5121,7 @@ create_user_chains()
- iptables -N DMZ_LAN_FORWARD_CHAIN
- iptables -N INET_DMZ_FORWARD_CHAIN
- iptables -N DMZ_INET_FORWARD_CHAIN
-+ iptables -N LAN_LAN_FORWARD_CHAIN
- iptables -N LAN_INET_FORWARD_CHAIN
-
- # Chains for the external interface
-@@ -5091,6 +5178,7 @@ flush_user_chains()
- iptables -F DMZ_LAN_FORWARD_CHAIN
- iptables -F INET_DMZ_FORWARD_CHAIN
- iptables -F DMZ_INET_FORWARD_CHAIN
-+ iptables -F LAN_LAN_FORWARD_CHAIN
- iptables -F LAN_INET_FORWARD_CHAIN
-
- # Chains for the external interface
-diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
-index 2291916..73554d2 100644
---- a/etc/arno-iptables-firewall/firewall.conf
-+++ b/etc/arno-iptables-firewall/firewall.conf
-@@ -696,6 +696,40 @@ LAN_HOST_DENY_IP=""
-
-
- ###############################################################################
-+# LAN_LAN_xxx = LAN->LAN access rules (forward) #
-+###############################################################################
-+
-+# Put in the following variables which LAN hosts you want to allow to certain
-+# hosts/services on a different LAN (net).
-+#
-+# TCP/UDP form:
-+# "SRCIP1,SRCIP2,...>DESTIP1~port \
-+# SRCIP3,...>DESTIP2~port"
-+#
-+# IP form:
-+# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
-+# SRCIP3,...>DESTIP2~protocol"
-+#
-+# TCP/UDP examples:
-+# Simple (Allow port 80 to LAN host 1.2.3.4 from all other LAN hosts(0/0)):
-+# LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"
-+# Advanced (Allow port 20 & 21 to LAN host 1.2.3.4 from all other LAN hosts (0/0) and
-+# allow port 80 from LAN host 5.6.7.8 (only) to LAN host 1.2.3.4):
-+# LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
-+#
-+# IP protocol example:
-+# (Allow protocols 47 & 48 to LAN host 1.2.3.4 from all other LAN hosts(0/0)):
-+# LAN_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
-+#
-+# NOTE 1: If no SRCIPx is specified, any source host is used
-+# NOTE 2: If no port is specified, any port is used
-+# -----------------------------------------------------------------------------
-+LAN_LAN_HOST_OPEN_TCP=""
-+LAN_LAN_HOST_OPEN_UDP=""
-+LAN_LAN_HOST_OPEN_IP=""
-+
-+
-+###############################################################################
- # LAN_INET_xxx = LAN->internet access rules (forward) #
- # #
- # Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are #
-
-
-From dd4ac2ea35da58eb625a3e1bb87dc707044f13a6 Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Wed, 22 Jun 2016 14:55:37 -0500
-Subject: [PATCH] removed: unused INT_FORWARD_IN_CHAIN and
- INT_FORWARD_OUT_CHAIN user chains, related #28
-
----
- README | 2 --
- bin/arno-iptables-firewall | 12 ------------
- 2 files changed, 14 deletions(-)
-
-diff --git a/README b/README
-index 802ce61..3f88069 100644
---- a/README
-+++ b/README
-@@ -476,8 +476,6 @@ HOST_BLOCK_DST - Chain containing the list of destination based
- blocked hosts
- HOST_BLOCK_SRC - Chain containing the list of source based blocked
- hosts
--INT_FORWARD_IN_CHAIN - Internal-net FORWARD chain for INcoming traffic
--INT_FORWARD_OUT_CHAIN - Internal-net FORWARD chain for OUTcoming traffic
- INT_INPUT_CHAIN - Internal-net INPUT chain
- INT_OUTPUT_CHAIN - Internal-net OUTPUT chain
- LAN_LAN_FORWARD_CHAIN - LAN to LAN (Inter-LAN) forward chain (AIF private use only)
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index beee62d..99735ee 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -4769,14 +4769,6 @@ setup_firewall_rules()
- iptables -A FORWARD -o $eif -j EXT_FORWARD_OUT_CHAIN
- done
-
-- # Source the IN/OUT chains for the internal interface(s)
-- ########################################################
-- IFS=' ,'
-- for iif in $INT_IF; do
-- iptables -A FORWARD -i $iif -j INT_FORWARD_IN_CHAIN
-- iptables -A FORWARD -o $iif -j INT_FORWARD_OUT_CHAIN
-- done
--
- # Source the IN/OUT chains for the dmz interface(s)
- ########################################################
- IFS=' ,'
-@@ -5135,8 +5127,6 @@ create_user_chains()
-
- # INT(LAN) chains
- iptables -N INT_INPUT_CHAIN
-- iptables -N INT_FORWARD_IN_CHAIN
-- iptables -N INT_FORWARD_OUT_CHAIN
- iptables -N INT_OUTPUT_CHAIN
-
- # DMZ chains
-@@ -5192,8 +5182,6 @@ flush_user_chains()
-
- # INT(LAN) chains
- iptables -F INT_INPUT_CHAIN
-- iptables -F INT_FORWARD_IN_CHAIN
-- iptables -F INT_FORWARD_OUT_CHAIN
- iptables -F INT_OUTPUT_CHAIN
-
- # DMZ chains
Deleted: branches/1.0/package/arnofw/arnofw-0005-add-LAN_DMZ_ALLOW_IF.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0005-add-LAN_DMZ_ALLOW_IF.patch 2016-07-12 17:02:11 UTC (rev 7752)
+++ branches/1.0/package/arnofw/arnofw-0005-add-LAN_DMZ_ALLOW_IF.patch 2016-07-13 19:31:55 UTC (rev 7753)
@@ -1,46 +0,0 @@
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index 0cb5cba..d825c0b 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -4814,6 +4814,8 @@ setup_firewall_rules()
- setup_dmz_inet_forward_chain;
- setup_dmz_lan_forward_chain;
-
-+ echo " Allowing LAN->DMZ for LAN interface(s): ${LAN_DMZ_ALLOW_IF:-$INT_IF}"
-+
- IFS=' ,'
- for dif in $DMZ_IF; do
- echo "Applying DMZ FORWARD policy to interface: $dif"
-@@ -4834,8 +4836,13 @@ setup_firewall_rules()
- # Apply policy for DMZ->LAN
- iptables -A FORWARD -i $dif -o $iif -j DMZ_LAN_FORWARD_CHAIN
-
-- # Apply policy for LAN->DMZ (allow all)
-- iptables -A FORWARD -i $iif -o $dif -j ACCEPT
-+ # Apply policy for LAN->DMZ (allow all INT_IF when LAN_DMZ_ALLOW_IF is not defined)
-+ for interface in ${LAN_DMZ_ALLOW_IF:-$INT_IF}; do
-+ if [ "$iif" = "$interface" ]; then
-+ iptables -A FORWARD -i $iif -o $dif -j ACCEPT
-+ break
-+ fi
-+ done
- done
- done
- fi
-diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
-index 83ef1dc..6d3bd19 100644
---- a/etc/arno-iptables-firewall/firewall.conf
-+++ b/etc/arno-iptables-firewall/firewall.conf
-@@ -125,6 +125,12 @@ DMZ_IF=""
- # -----------------------------------------------------------------------------
- DMZ_NET=""
-
-+# Specify the LAN (INT_IF) interfaces that are allowed full access to the
-+# DMZ interface(s). (LAN to DMZ forwarding policy)
-+# If LAN_DMZ_ALLOW_IF is not defined, all the INT_IF interfaces will be allowed.
-+# -----------------------------------------------------------------------------
-+LAN_DMZ_ALLOW_IF=""
-+
- # Set this variable to 0 to disable antispoof checking for the dmz nets
- # (EXPERT SETTING!)
- # -----------------------------------------------------------------------------
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2016-07-12 17:02:11 UTC (rev 7752)
+++ branches/1.0/package/arnofw/arnofw.mk 2016-07-13 19:31:55 UTC (rev 7753)
@@ -3,11 +3,11 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER := 2.0.1f
+ARNOFW_VER := 2.0.1g-RC1
ARNOFW_ROOT := arno-iptables-firewall
ARNOFW_SOURCE := $(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
-ARNOFW_SITE := http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
-#ARNOFW_SITE := http://files.astlinux-project.org
+#ARNOFW_SITE := http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
+ARNOFW_SITE := http://files.astlinux-project.org
ARNOFW_DIR := $(BUILD_DIR)/$(ARNOFW_ROOT)_$(ARNOFW_VER)
ARNOFW_CAT := zcat
ARNOFW_TARGET_BINARY := /usr/sbin/arno-iptables-firewall
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
