d42f4731180af70e6d3f83ddfcdd636bbb9d1f6d
[tomato.git] / release / src / router / rc / firewall.c
blobd42f4731180af70e6d3f83ddfcdd636bbb9d1f6d
1 /*
3 Copyright 2003-2005, CyberTAN Inc. All Rights Reserved
5 This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc.
6 the contents of this file may not be disclosed to third parties,
7 copied or duplicated in any form without the prior written
8 permission of CyberTAN Inc.
10 This software should be used as a reference only, and it not
11 intended for production use!
13 THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
14 KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN
15 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
16 FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE
18 */
19 /*
21 Modified for Tomato Firmware
22 Portions, Copyright (C) 2006-2009 Jonathan Zarate
24 */
26 #include "rc.h"
28 #include <stdarg.h>
29 #include <arpa/inet.h>
30 #include <dirent.h>
32 char wanface[IFNAMSIZ];
33 char lanface[IFNAMSIZ];
34 char lan_cclass[sizeof("xxx.xxx.xxx.")];
35 char wanaddr[sizeof("xxx.xxx.xxx.xxx")];
36 static int web_lanport;
38 #ifdef DEBUG_IPTFILE
39 static int debug_only = 0;
40 #endif
42 static int gateway_mode;
43 static int remotemanage;
44 static int wanup;
46 const char *chain_in_drop;
47 const char *chain_in_accept;
48 const char *chain_out_drop;
49 const char *chain_out_accept;
50 const char *chain_out_reject;
52 const char ipt_fname[] = "/etc/iptables";
53 FILE *ipt_file;
56 /*
57 struct {
58 } firewall_data;
59 */
61 // -----------------------------------------------------------------------------
64 void enable_ip_forward(void)
65 {
66 /*
67 ip_forward - BOOLEAN
68 0 - disabled (default)
69 not 0 - enabled
71 Forward Packets between interfaces.
73 This variable is special, its change resets all configuration
74 parameters to their default state (RFC1122 for hosts, RFC1812
75 for routers)
76 */
77 f_write_string("/proc/sys/net/ipv4/ip_forward", "1", 0, 0);
78 }
81 // -----------------------------------------------------------------------------
83 /*
84 static int ip2cclass(char *ipaddr, char *new, int count)
85 {
86 int ip[4];
88 if (sscanf(ipaddr,"%d.%d.%d.%d",&ip[0],&ip[1],&ip[2],&ip[3]) != 4) return 0;
89 return snprintf(new, count, "%d.%d.%d.",ip[0],ip[1],ip[2]);
90 }
91 */
94 static int dmz_dst(char *s)
95 {
96 struct in_addr ia;
97 char *p;
98 int n;
100 if (nvram_get_int("dmz_enable") <= 0) return 0;
102 p = nvram_safe_get("dmz_ipaddr");
103 if ((ia.s_addr = inet_addr(p)) == (in_addr_t)-1) {
104 if (((n = atoi(p)) <= 0) || (n >= 255)) return 0;
105 if (s) sprintf(s, "%s%d", lan_cclass, n);
106 return 1;
109 if (s) strcpy(s, inet_ntoa(ia));
110 return 1;
113 static void ipt_source(const char *s, char *src)
115 if ((*s) && (strlen(s) < 32)) sprintf(src, "-%s %s", strchr(s, '-') ? "m iprange --src-range" : "s", s);
116 else *src = 0;
119 /*
120 static void get_src(const char *nv, char *src)
122 char *p;
124 if (((p = nvram_get(nv)) != NULL) && (*p) && (strlen(p) < 32)) {
125 sprintf(src, "-%s %s", strchr(p, '-') ? "m iprange --src-range" : "s", p);
127 else {
128 *src = 0;
131 */
133 void ipt_write(const char *format, ...)
135 va_list args;
137 va_start(args, format);
138 vfprintf(ipt_file, format, args);
139 va_end(args);
142 // -----------------------------------------------------------------------------
145 int ipt_ipp2p(const char *v, char *opt)
147 int n = atoi(v);
149 if (n == 0) {
150 *opt = 0;
151 return 0;
154 strcpy(opt, "-m ipp2p ");
155 if ((n & 0xFFF) == 0xFFF) {
156 strcat(opt, "--ipp2p");
158 else {
159 // x12
160 if (n & 0x0001) strcat(opt, "--apple ");
161 if (n & 0x0002) strcat(opt, "--ares ");
162 if (n & 0x0004) strcat(opt, "--bit ");
163 if (n & 0x0008) strcat(opt, "--dc ");
164 if (n & 0x0010) strcat(opt, "--edk ");
165 if (n & 0x0020) strcat(opt, "--gnu ");
166 if (n & 0x0040) strcat(opt, "--kazaa ");
167 if (n & 0x0080) strcat(opt, "--mute ");
168 if (n & 0x0100) strcat(opt, "--soul ");
169 if (n & 0x0200) strcat(opt, "--waste ");
170 if (n & 0x0400) strcat(opt, "--winmx ");
171 if (n & 0x0800) strcat(opt, "--xdcc ");
174 modprobe("ipt_ipp2p");
175 return 1;
179 // -----------------------------------------------------------------------------
182 char **layer7_in;
184 // This L7 matches inbound traffic, caches the results, then the L7 outbound
185 // should read the cached result and set the appropriate marks -- zzz
186 void ipt_layer7_inbound(void)
188 int en;
189 char **p;
191 if (!layer7_in) return;
193 en = nvram_match("nf_l7in", "1");
194 if (en) {
195 ipt_write(
196 ":L7in - [0:0]\n"
197 "-A FORWARD -i %s -j L7in\n",
198 wanface);
201 p = layer7_in;
202 while (*p) {
203 if (en) ipt_write("-A L7in %s -j RETURN\n", *p);
204 free(*p);
205 ++p;
207 free(layer7_in);
208 layer7_in = NULL;
211 int ipt_layer7(const char *v, char *opt)
213 char s[128];
214 char *path;
216 *opt = 0;
217 if (*v == 0) return 0;
218 if (strlen(v) > 32) return -1;
220 path = "/etc/l7-extra";
221 sprintf(s, "%s/%s.pat", path, v);
222 if (!f_exists(s)) {
223 path = "/etc/l7-protocols";
224 sprintf(s, "%s/%s.pat", path, v);
225 if (!f_exists(s)) {
226 syslog(LOG_ERR, "L7 %s was not found", v);
227 return -1;
231 sprintf(opt, "-m layer7 --l7dir %s --l7proto %s", path, v);
233 if (nvram_match("nf_l7in", "1")) {
234 if (!layer7_in) layer7_in = calloc(51, sizeof(char *));
235 if (layer7_in) {
236 char **p;
238 p = layer7_in;
239 while (*p) {
240 if (strcmp(*p, opt) == 0) return 1;
241 ++p;
243 if (((p - layer7_in) / sizeof(char *)) < 50) *p = strdup(opt);
247 modprobe("ipt_layer7");
248 return 1;
253 // -----------------------------------------------------------------------------
254 // MANGLE
255 // -----------------------------------------------------------------------------
257 static void mangle_table(void)
259 int ttl;
260 char *p;
262 ipt_write(
263 "*mangle\n"
264 ":PREROUTING ACCEPT [0:0]\n"
265 ":OUTPUT ACCEPT [0:0]\n");
267 if (wanup) {
268 ipt_qos();
270 ttl = nvram_get_int("nf_ttl");
271 if (ttl != 0) {
272 modprobe("ipt_TTL");
273 if (ttl > 0) {
274 p = "in";
276 else {
277 ttl = -ttl;
278 p = "de";
280 ipt_write(
281 "-I PREROUTING -i %s -j TTL --ttl-%sc %d\n"
282 "-I POSTROUTING -o %s -j TTL --ttl-%sc %d\n",
283 wanface, p, ttl,
284 wanface, p, ttl);
288 ipt_write("COMMIT\n");
293 // -----------------------------------------------------------------------------
294 // NAT
295 // -----------------------------------------------------------------------------
297 static void nat_table(void)
299 char lanaddr[32];
300 char lanmask[32];
301 char dst[64];
302 char src[64];
303 char t[512];
304 char *p, *c;
306 ipt_write("*nat\n"
307 ":PREROUTING ACCEPT [0:0]\n"
308 ":POSTROUTING ACCEPT [0:0]\n"
309 ":OUTPUT ACCEPT [0:0]\n");
310 if (gateway_mode) {
311 strlcpy(lanaddr, nvram_safe_get("lan_ipaddr"), sizeof(lanaddr));
312 strlcpy(lanmask, nvram_safe_get("lan_netmask"), sizeof(lanmask));
314 // Drop incoming packets which destination IP address is to our LAN side directly
315 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
316 wanface,
317 lanaddr, lanmask); // note: ipt will correct lanaddr
319 if (wanup) {
320 if (nvram_match("dns_intcpt", "1")) {
321 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
322 lanaddr, lanmask,
323 lanaddr, lanmask,
324 lanaddr);
327 // ICMP packets are always redirected to INPUT chains
328 ipt_write("-A PREROUTING -p icmp -d %s -j DNAT --to-destination %s\n", wanaddr, lanaddr);
331 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
332 p = t;
333 do {
334 if ((c = strchr(p, ',')) != NULL) *c = 0;
335 ipt_source(p, src);
337 if (remotemanage) {
338 ipt_write("-A PREROUTING -p tcp -m tcp %s -d %s --dport %s -j DNAT --to-destination %s:%d\n",
339 src,
340 wanaddr, nvram_safe_get("http_wanport"),
341 lanaddr, web_lanport);
343 if (nvram_get_int("sshd_remote")) {
344 ipt_write("-A PREROUTING %s -p tcp -m tcp -d %s --dport %s -j DNAT --to-destination %s:%s\n",
345 src,
346 wanaddr, nvram_safe_get("sshd_rport"),
347 lanaddr, nvram_safe_get("sshd_port"));
350 if (!c) break;
351 p = c + 1;
352 } while (*p);
354 ipt_forward(IPT_TABLE_NAT);
355 ipt_triggered(IPT_TABLE_NAT);
358 if (nvram_get_int("upnp_enable") & 3) {
359 ipt_write(":upnp - [0:0]\n");
360 if (wanup) {
361 // ! for loopback (all) to work
362 ipt_write("-A PREROUTING -d %s -j upnp\n", wanaddr);
364 else {
365 ipt_write("-A PREROUTING -i %s -j upnp\n", wanface);
369 if (wanup) {
370 if (dmz_dst(dst)) {
371 strlcpy(t, nvram_safe_get("dmz_sip"), sizeof(t));
372 p = t;
373 do {
374 if ((c = strchr(p, ',')) != NULL) *c = 0;
375 ipt_source(p, src);
376 ipt_write("-A PREROUTING %s -d %s -j DNAT --to-destination %s\n", src, wanaddr, dst);
377 if (!c) break;
378 p = c + 1;
379 } while (*p);
383 if ((!wanup) || (nvram_get_int("net_snat") != 1)) {
384 ipt_write("-A POSTROUTING -o %s -j MASQUERADE\n", wanface);
386 else {
387 ipt_write("-A POSTROUTING -o %s -j SNAT --to-source %s\n", wanface, wanaddr);
390 switch (nvram_get_int("nf_loopback")) {
391 case 1: // 1 = forwarded-only
392 case 2: // 2 = disable
393 break;
394 default: // 0 = all (same as block_loopback=0)
395 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j MASQUERADE\n",
396 lanface,
397 lanaddr, lanmask,
398 lanaddr, lanmask);
399 break;
402 ipt_write("COMMIT\n");
405 // -----------------------------------------------------------------------------
406 // FILTER
407 // -----------------------------------------------------------------------------
409 static void filter_input(void)
411 char s[64];
412 char t[512];
413 char *en;
414 char *sec;
415 char *hit;
416 int n;
417 char *p, *c;
419 if ((nvram_get_int("nf_loopback") != 0) && (wanup)) { // 0 = all
420 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lanface, wanaddr);
423 ipt_write(
424 "-A INPUT -m state --state INVALID -j %s\n"
425 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n",
426 chain_in_drop);
429 strlcpy(s, nvram_safe_get("ne_shlimit"), sizeof(s));
430 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && ((n = atoi(en) & 3) != 0)) {
431 /*
432 ? what if the user uses the start button in GUI ?
433 if (nvram_get_int("telnetd_eas"))
434 if (nvram_get_int("sshd_eas"))
435 */
436 modprobe("ipt_recent");
438 ipt_write(
439 "-N shlimit\n"
440 "-A shlimit -m recent --set --name shlimit\n"
441 "-A shlimit -m recent --update --hitcount %s --seconds %s --name shlimit -j DROP\n",
442 hit, sec);
444 if (n & 1) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_port"));
445 if (n & 2) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("telnetd_port"));
448 ipt_write(
449 "-A INPUT -i %s -j ACCEPT\n"
450 "-A INPUT -i lo -j ACCEPT\n",
451 lanface);
453 // ICMP request from WAN interface
454 if (nvram_match("block_wan", "0")) {
455 ipt_write("-A INPUT -p icmp -j ACCEPT\n");
459 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
460 p = t;
461 do {
462 if ((c = strchr(p, ',')) != NULL) *c = 0;
464 ipt_source(p, s);
466 if (remotemanage) {
467 ipt_write("-A INPUT -p tcp %s -m tcp -d %s --dport %d -j %s\n",
468 s, nvram_safe_get("lan_ipaddr"), web_lanport, chain_in_accept);
471 if (nvram_get_int("sshd_remote")) {
472 ipt_write("-A INPUT -p tcp %s -m tcp -d %s --dport %s -j %s\n",
473 s, nvram_safe_get("lan_ipaddr"), nvram_safe_get("sshd_port"), chain_in_accept);
476 if (!c) break;
477 p = c + 1;
478 } while (*p);
481 // IGMP query from WAN interface
482 if (nvram_match("multicast_pass", "1")) {
483 ipt_write("-A INPUT -p igmp -j ACCEPT\n");
486 // Routing protocol, RIP, accept
487 if (nvram_invmatch("dr_wan_rx", "0")) {
488 ipt_write("-A INPUT -p udp -m udp --dport 520 -j ACCEPT\n");
491 // if logging
492 if (*chain_in_drop == 'l') {
493 ipt_write( "-A INPUT -j %s\n", chain_in_drop);
496 // default policy: DROP
499 // clamp TCP MSS to PMTU of WAN interface
500 static void clampmss(void)
502 int rmtu = nvram_get_int("wan_run_mtu");
504 ipt_write("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS ", rmtu - 39);
505 if (rmtu < 576) {
506 ipt_write("--clamp-mss-to-pmtu\n");
508 else {
509 ipt_write("--set-mss %d\n", rmtu - 40);
513 static void filter_forward(void)
515 char dst[64];
516 char src[64];
517 char t[512];
518 char *p, *c;
520 ipt_write(
521 "-A FORWARD -i %s -o %s -j ACCEPT\n" // accept all lan to lan
522 "-A FORWARD -m state --state INVALID -j DROP\n", // drop if INVALID state
523 lanface, lanface);
525 // clamp tcp mss to pmtu
526 clampmss();
528 if (wanup) {
529 ipt_restrictions();
530 ipt_layer7_inbound();
533 ipt_write(
534 ":wanin - [0:0]\n"
535 ":wanout - [0:0]\n"
536 "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n" // already established or related (via helper)
537 "-A FORWARD -i %s -j wanin\n" // generic from wan
538 "-A FORWARD -o %s -j wanout\n" // generic to wan
539 "-A FORWARD -i %s -j %s\n", // from lan
540 wanface, wanface, lanface, chain_out_accept);
542 if (nvram_get_int("upnp_enable") & 3) {
543 ipt_write(
544 ":upnp - [0:0]\n"
545 "-A FORWARD -i %s -j upnp\n",
546 wanface);
549 if (wanup) {
550 if (nvram_match("multicast_pass", "1")) {
551 ipt_write("-A wanin -p udp -m udp -d 224.0.0.0/4 -j %s\n", chain_in_accept);
553 ipt_triggered(IPT_TABLE_FILTER);
554 ipt_forward(IPT_TABLE_FILTER);
556 if (dmz_dst(dst)) {
557 strlcpy(t, nvram_safe_get("dmz_sip"), sizeof(t));
558 p = t;
559 do {
560 if ((c = strchr(p, ',')) != NULL) *c = 0;
561 ipt_source(p, src);
562 ipt_write("-A FORWARD -o %s %s -d %s -j %s\n", lanface, src, dst, chain_in_accept);
563 if (!c) break;
564 p = c + 1;
565 } while (*p);
570 // default policy: DROP
573 static void filter_table(void)
575 int n;
576 char limit[128];
578 ipt_write(
579 "*filter\n"
580 ":INPUT DROP [0:0]\n"
581 ":OUTPUT ACCEPT [0:0]\n"
582 );
584 n = nvram_get_int("log_limit");
585 if ((n >= 1) && (n <= 9999)) {
586 sprintf(limit, "-m limit --limit %d/m", n);
588 else {
589 limit[0] = 0;
592 if ((*chain_in_drop == 'l') || (*chain_out_drop == 'l')) {
593 ipt_write(
594 ":logdrop - [0:0]\n"
595 "-A logdrop -m state --state NEW %s -j LOG --log-prefix \"DROP \" --log-tcp-options --log-ip-options\n"
596 "-A logdrop -j DROP\n"
597 ":logreject - [0:0]\n"
598 "-A logreject %s -j LOG --log-prefix \"REJECT \" --log-tcp-options --log-ip-options\n"
599 "-A logreject -p tcp -j REJECT --reject-with tcp-reset\n",
600 limit, limit);
602 if ((*chain_in_accept == 'l') || (*chain_out_accept == 'l')) {
603 ipt_write(
604 ":logaccept - [0:0]\n"
605 "-A logaccept -m state --state NEW %s -j LOG --log-prefix \"ACCEPT \" --log-tcp-options --log-ip-options\n"
606 "-A logaccept -j ACCEPT\n",
607 limit);
610 filter_input();
612 if ((gateway_mode) || (nvram_match("wk_mode_x", "1"))) {
613 ipt_write(":FORWARD DROP [0:0]\n");
614 filter_forward();
616 else {
617 ipt_write(":FORWARD ACCEPT [0:0]\n");
618 clampmss();
620 ipt_write("COMMIT\n");
624 // -----------------------------------------------------------------------------
626 int start_firewall(void)
628 DIR *dir;
629 struct dirent *dirent;
630 char s[256];
631 char *c;
632 int n;
633 int wanproto;
635 simple_lock("firewall");
636 simple_lock("restrictions");
638 wanproto = get_wan_proto();
639 wanup = check_wanup();
642 /*
643 block obviously spoofed IP addresses
645 rp_filter - BOOLEAN
646 1 - do source validation by reversed path, as specified in RFC1812
647 Recommended option for single homed hosts and stub network
648 routers. Could cause troubles for complicated (not loop free)
649 networks running a slow unreliable protocol (sort of RIP),
650 or using static routes.
651 0 - No source validation.
652 */
653 if ((dir = opendir("/proc/sys/net/ipv4/conf")) != NULL) {
654 while ((dirent = readdir(dir)) != NULL) {
655 sprintf(s, "/proc/sys/net/ipv4/conf/%s/rp_filter", dirent->d_name);
656 f_write_string(s, "1", 0, 0);
658 closedir(dir);
661 f_write_string("/proc/sys/net/ipv4/tcp_syncookies", nvram_get_int("ne_syncookies") ? "1" : "0", 0, 0);
663 n = nvram_get_int("log_in");
664 chain_in_drop = (n & 1) ? "logdrop" : "DROP";
665 chain_in_accept = (n & 2) ? "logaccept" : "ACCEPT";
667 n = nvram_get_int("log_out");
668 chain_out_drop = (n & 1) ? "logdrop" : "DROP";
669 chain_out_reject = (n & 1) ? "logreject" : "REJECT --reject-with tcp-reset";
670 chain_out_accept = (n & 2) ? "logaccept" : "ACCEPT";
672 // if (nvram_match("nf_drop_reset", "1")) chain_out_drop = chain_out_reject;
674 strlcpy(lanface, nvram_safe_get("lan_ifname"), IFNAMSIZ);
676 if ((wanproto == WP_PPTP) || (wanproto == WP_L2TP) || (wanproto == WP_PPPOE)) {
677 strcpy(wanface, "ppp+");
679 else {
680 strlcpy(wanface, nvram_safe_get("wan_ifname"), sizeof(wanface));
683 strlcpy(wanaddr, get_wanip(), sizeof(wanaddr));
685 strlcpy(s, nvram_safe_get("lan_ipaddr"), sizeof(s));
686 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
687 strlcpy(lan_cclass, s, sizeof(lan_cclass));
689 gateway_mode = !nvram_match("wk_mode", "router");
690 if (gateway_mode) {
691 /* Remote management */
692 if (nvram_match("remote_management", "1") && nvram_invmatch("http_wanport", "") &&
693 nvram_invmatch("http_wanport", "0")) remotemanage = 1;
694 else remotemanage = 0;
696 if (nvram_match("remote_mgt_https", "1")) {
697 web_lanport = nvram_get_int("https_lanport");
698 if (web_lanport <= 0) web_lanport = 443;
700 else {
701 web_lanport = nvram_get_int("http_lanport");
702 if (web_lanport <= 0) web_lanport = 80;
707 if ((ipt_file = fopen(ipt_fname, "w")) == NULL) {
708 syslog(LOG_CRIT, "Unable to create iptables restore file");
709 simple_unlock("firewall");
710 return 0;
713 mangle_table();
714 nat_table();
715 filter_table();
717 fclose(ipt_file);
718 ipt_file = NULL;
720 #ifdef DEBUG_IPTFILE
721 if (debug_only) {
722 simple_unlock("firewall");
723 simple_unlock("restrictions");
724 return 0;
726 #endif
728 if (nvram_get_int("upnp_enable") & 3) {
729 f_write("/etc/upnp/save", NULL, 0, 0, 0);
730 if (killall("miniupnpd", SIGUSR2) == 0) {
731 f_wait_notexists("/etc/upnp/save", 5);
735 if (eval("iptables-restore", (char *)ipt_fname) == 0) {
736 led(LED_DIAG, 0);
738 else {
739 sprintf(s, "%s.error", ipt_fname);
740 rename(ipt_fname, s);
741 syslog(LOG_CRIT, "Error while loading rules. See %s file.", s);
742 led(LED_DIAG, 1);
744 /*
746 -P INPUT DROP
747 -F INPUT
748 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
749 -A INPUT -i br0 -j ACCEPT
751 -P FORWARD DROP
752 -F FORWARD
753 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
754 -A FORWARD -i br0 -j ACCEPT
756 */
759 if (nvram_get_int("upnp_enable") & 3) {
760 f_write("/etc/upnp/load", NULL, 0, 0, 0);
761 killall("miniupnpd", SIGUSR2);
764 simple_unlock("restrictions");
765 sched_restrictions();
766 enable_ip_forward();
768 led(LED_DMZ, dmz_dst(NULL));
770 modprobe_r("ipt_layer7");
771 modprobe_r("ipt_ipp2p");
772 modprobe_r("ipt_web");
773 modprobe_r("ipt_TTL");
775 run_nvscript("script_fire", NULL, 1);
777 simple_unlock("firewall");
778 return 0;
781 int stop_firewall(void)
783 led(LED_DMZ, 0);
784 return 0;
787 #ifdef DEBUG_IPTFILE
788 void create_test_iptfile(void)
790 debug_only = 1;
791 start_firewall();
792 debug_only = 0;
794 #endif