From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] firewall: Fix placement of HOSTILE chains
Date: Wed, 23 Mar 2022 11:24:28 +0000
Message-ID: <135C8E83-E856-45CA-8ED0-D5DDCD02F154@ipfire.org>
In-Reply-To: <f6e61742-fefa-f3ad-b46a-c422cbbedfb7@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7252214421714623621=="
List-Id: <development.lists.ipfire.org>

--===============7252214421714623621==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 23 Mar 2022, at 11:18, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> They were mistakenly placed after the IPS chains in commit
> 7b529f5417254c68b6bd33732f30578182893d34, but should be placed after the
> connection tracking and before the IPS.
>=20
> Fixes: #12815
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 22 +++++++++++-----------
> 1 file changed, 11 insertions(+), 11 deletions(-)
>=20
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew=
all
> index 2a70feac2..2597dae10 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -169,6 +169,17 @@ iptables_init() {
> 	iptables -t nat -N CUSTOMPOSTROUTING
> 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
>=20
> +	# Chains for networks known as being hostile, posing a technical threat t=
o our users
> +	# (i. e. listed at Spamhaus DROP et al.)
> +	iptables -N HOSTILE
> +	iptables -A INPUT -j HOSTILE
> +	iptables -A FORWARD -j HOSTILE
> +	iptables -A OUTPUT -j HOSTILE
> +
> +	iptables -N HOSTILE_DROP
> +	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "=
DROP_HOSTILE "
> +	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
> +
> 	# IPS (Guardian) chains
> 	iptables -N GUARDIAN
> 	iptables -A INPUT -j GUARDIAN
> @@ -259,17 +270,6 @@ iptables_init() {
> 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
> 	fi
>=20
> -	# Chains for networks known as being hostile, posing a technical threat t=
o our users
> -	# (i. e. listed at Spamhaus DROP et al.)
> -	iptables -N HOSTILE
> -	iptables -A INPUT -j HOSTILE
> -	iptables -A FORWARD -j HOSTILE
> -	iptables -A OUTPUT -j HOSTILE
> -
> -	iptables -N HOSTILE_DROP
> -	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "=
DROP_HOSTILE "
> -	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
> -
> 	# Tor (inbound)
> 	iptables -N TOR_INPUT
> 	iptables -A INPUT -j TOR_INPUT
> --=20
> 2.34.1


--===============7252214421714623621==--