From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v3 2/7] rules.pl: Fixes bug12981 - Add in and out specific
 actions for drop hostile
Date: Sun, 21 Jan 2024 12:45:48 +0100
Message-ID: <20240121114553.5182-2-adolf.belka@ipfire.org>
In-Reply-To: <20240121114553.5182-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8545913707115627699=="
List-Id: <development.lists.ipfire.org>

--===============8545913707115627699==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

- This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming t=
raffic and
   HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be tak=
en on each
   independently.

Fixes: bug12981
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/firewall/rules.pl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 7edb910e2..a47c260a1 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -2,7 +2,7 @@
 ############################################################################=
###
 #                                                                           =
  #
 # IPFire.org - A linux based firewall                                       =
  #
-# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                 =
    #
+# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>                 =
    #
 #                                                                           =
  #
 # This program is free software: you can redistribute it and/or modify      =
  #
 # it under the terms of the GNU General Public License as published by      =
  #
@@ -726,8 +726,8 @@ sub drop_hostile_networks () {
 	&ipset_restore($HOSTILE_CCODE);
=20
 	# Check traffic in incoming/outgoing direction and drop if it matches
-	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src=
 -j HOSTILE_DROP");
-	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst=
 -j HOSTILE_DROP");
+	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src=
 -j HOSTILE_DROP_IN");
+	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst=
 -j HOSTILE_DROP_OUT");
 }
=20
 sub ipblocklist () {
--=20
2.43.0


--===============8545913707115627699==--