From 969ca7e15b6a4862d796338663b691aa2ab4e214 Mon Sep 17 00:00:00 2001
From: Scorcher <nikolay.didenko@gmail.com>
Date: Sun, 28 Feb 2016 15:58:53 +0500
Subject: [PATCH] Fix hole in iptables: connect to any ports from defined in
 rules ports.

---
 bin/v-update-firewall | 32 +++++++++++++-------------------
 1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/bin/v-update-firewall b/bin/v-update-firewall
index 04a15a5f..7babd84d 100755
--- a/bin/v-update-firewall
+++ b/bin/v-update-firewall
@@ -64,6 +64,19 @@ tmp=$(mktemp)
 echo "$iptables -P INPUT ACCEPT" >> $tmp
 echo "$iptables -F INPUT" >> $tmp
 
+# Enabling stateful support
+if [ "$conntrack" != 'no' ]; then
+    str="$iptables -A INPUT -m state"
+    str="$str --state ESTABLISHED,RELATED -j ACCEPT"
+    echo "$str" >> $tmp
+fi
+
+# Handling local traffic
+for ip in $(ls $VESTA/data/ips); do
+    echo "$iptables -A INPUT -s $ip -j ACCEPT" >> $tmp
+done
+echo "$iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $tmp
+
 # Pasring iptables rules
 IFS=$'\n'
 for line in $(sort -r -n -k 2 -t \' $rules); do
@@ -100,25 +113,6 @@ for line in $(sort -r -n -k 2 -t \' $rules); do
     fi
 done
 
-# Handling local traffic
-for ip in $(ls $VESTA/data/ips); do
-    echo "$iptables -A INPUT -s $ip -j ACCEPT" >> $tmp
-done
-echo "$iptables -A INPUT -s 127.0.0.1 -j ACCEPT" >> $tmp
-IFS=$'\n'
-for p_rule in $(cat $ports); do
-    eval $p_rule
-    rule="$iptables -A INPUT -p $PROTOCOL"
-    echo "$rule --sport $PORT -j ACCEPT" >> $tmp
-done
-
-# Enabling stateful support
-if [ "$conntrack" != 'no' ]; then
-    str="$iptables -A INPUT -p tcp -m state"
-    str="$str --state ESTABLISHED,RELATED -j ACCEPT"
-    echo "$str" >> $tmp
-fi
-
 # Switching chain policy to DROP
 echo "$iptables -P INPUT DROP" >> $tmp