Firewall related/established rule fixed in the header

Auto Initialize firewall with default ruleset for new webadmin instances
2025-06-28 01:07:03 +00:00 · 2024-03-05 08:39:01 -03:00 · 2024-03-05 08:39:01 -03:00 · 97db5844fe
commit 97db5844fe
parent 6d30dae51c
5 changed files with 30 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,3 +5,4 @@
 *.pyo
 *.pyd
 wireguard_webadmin/production_settings.py
 .idea/
--- a/firewall/tools.py
+++ b/firewall/tools.py
@ -42,10 +42,12 @@ def reset_firewall_to_default():
        description='Masquerade traffic from VPN to WAN',
    )
-    FirewallRule.objects.create(
+    # This rule will now be fixed in the firewall header
-        firewall_chain='forward', sort_order=0, rule_action='accept', description='Allow established/related traffic', 
+    #FirewallRule.objects.create(
-        state_established=True, state_related=True
+    #    firewall_chain='forward', sort_order=0, rule_action='accept', description='Allow established/related traffic', 
-        )
+    #    state_established=True, state_related=True
    #    )
    FirewallRule.objects.create(
        firewall_chain='forward', sort_order=1, rule_action='reject', description='Reject traffic to private networks exiting on WAN interface',
        in_interface='wg+', out_interface=firewall_settings.wan_interface, destination_ip='10.0.0.0', destination_netmask=8
@ -165,6 +167,8 @@ iptables -t filter -D FORWARD     -j WGWADM_FORWARD     >> /dev/null 2>&1
 iptables -t nat    -I POSTROUTING -j WGWADM_POSTROUTING
 iptables -t nat    -I PREROUTING  -j WGWADM_PREROUTING
 iptables -t filter -I FORWARD     -j WGWADM_FORWARD
 iptables -t filter -A WGWADM_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 '''
--- a/firewall/views.py
+++ b/firewall/views.py
@ -71,6 +71,11 @@ def view_firewall_rule_list(request):
    if wireguard_instances.filter(legacy_firewall=True).exists():
        return redirect('/firewall/migration_required/')
    firewall_settings, firewall_settings_created = FirewallSettings.objects.get_or_create(name='global')
    if not firewall_settings.last_firewall_reset:
        reset_firewall_to_default()
        messages.success(request, 'VPN Firewall|Firewall initialized with the default rule set!')
        return redirect('/firewall/rule_list/')
    current_chain = request.GET.get('chain', 'forward')
    if current_chain not in ['forward', 'portforward', 'postrouting']:
        current_chain = 'forward'
--- a/templates/firewall/firewall_rule_list.html
+++ b/templates/firewall/firewall_rule_list.html
@ -47,6 +47,21 @@
                        <th><i class="far fa-edit"></i></th>
                    </thead>
                    <tbody>
                            <tr class="fw_automatic_rule">  
                              <td>-</td>
                              <td><i class="fas fa-info-circle" title="Automatic rule: Allow established/related traffic"></i></td>
                              <td></td>
                              <td></td>
                              <td></td>
                              <td></td>
                              <td>all</td>
                              <td></td>
                              <td>Related<br>
                                  Established
                              </td>
                              <td>ACCEPT</td>
                              <td></td>
                            </tr>
                        {% for rule in port_forward_list %}
                            {% if rule.add_forward_rule and current_chain == 'forward' %}
--- a/wireguard_webadmin/settings.py
+++ b/wireguard_webadmin/settings.py
@ -129,6 +129,6 @@ STATICFILES_DIRS = [
 DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
-WIREGUARD_WEBADMIN_VERSION = 9501
+WIREGUARD_WEBADMIN_VERSION = 9502
 from wireguard_webadmin.production_settings import *