Reviewed-by: Michael Tremer > On 23 Mar 2022, at 11:18, Peter Müller wrote: > > They were mistakenly placed after the IPS chains in commit > 7b529f5417254c68b6bd33732f30578182893d34, but should be placed after the > connection tracking and before the IPS. > > Fixes: #12815 > > Signed-off-by: Peter Müller > --- > src/initscripts/system/firewall | 22 +++++++++++----------- > 1 file changed, 11 insertions(+), 11 deletions(-) > > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > index 2a70feac2..2597dae10 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -169,6 +169,17 @@ iptables_init() { > iptables -t nat -N CUSTOMPOSTROUTING > iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING > > + # Chains for networks known as being hostile, posing a technical threat to our users > + # (i. e. listed at Spamhaus DROP et al.) > + iptables -N HOSTILE > + iptables -A INPUT -j HOSTILE > + iptables -A FORWARD -j HOSTILE > + iptables -A OUTPUT -j HOSTILE > + > + iptables -N HOSTILE_DROP > + iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " > + iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE" > + > # IPS (Guardian) chains > iptables -N GUARDIAN > iptables -A INPUT -j GUARDIAN > @@ -259,17 +270,6 @@ iptables_init() { > iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT > fi > > - # Chains for networks known as being hostile, posing a technical threat to our users > - # (i. e. listed at Spamhaus DROP et al.) > - iptables -N HOSTILE > - iptables -A INPUT -j HOSTILE > - iptables -A FORWARD -j HOSTILE > - iptables -A OUTPUT -j HOSTILE > - > - iptables -N HOSTILE_DROP > - iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " > - iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE" > - > # Tor (inbound) > iptables -N TOR_INPUT > iptables -A INPUT -j TOR_INPUT > -- > 2.34.1