From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 05/11] firewall: Introduce DROP_HOSTILE Date: Sat, 08 Jan 2022 11:39:45 +0100 Message-ID: <28ee50cb-8eeb-535b-0b93-32a4ca4fd85e@ipfire.org> In-Reply-To: <714365FA-2D67-41F7-97EF-21FFD3B487AC@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6797400792665033259==" List-Id: --===============6797400792665033259== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your reply. This is good to know as I was surprised to see this working on my testing mac= hine without any further exports/converting/${whatever} of the location database. :-) Thanks, and best regards, Peter M=C3=BCller > Hello, >=20 > I told you that you will need to export the lists before you can load them,= but that seems to have been incorrect. >=20 > Whenever we download the database, we extract everything: >=20 > https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dblob;f=3Dsrc/scripts/updat= e-location-database;h=3D06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=3DHEAD >=20 > So this should always work. >=20 > -Michael >=20 >> On 18 Dec 2021, at 13:48, Peter M=C3=BCller w= rote: >> >> Similar to the Location block, this chain logs and drops all traffic >> from and to networks known to pose technical threats to IPFire users. >> >> Doing so in a dedicated chain makes sense for transparency reasons, as >> we won't interfer with other firewall rules or the Location block, so it >> is always clear why a packet from or to such a network has been dropped. >> >> Signed-off-by: Peter M=C3=BCller >> --- >> src/initscripts/system/firewall | 14 ++++++++++++++ >> 1 file changed, 14 insertions(+) >> >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fire= wall >> index 9e62c0245..ebc8168ae 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -139,6 +139,20 @@ iptables_init() { >> iptables -t nat -N CUSTOMPOSTROUTING >> iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING >> >> + # Log and drop any traffic from and to networks known as being hostile, = posing >> + # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) >> + if [ "$DROPHOSTILE" =3D=3D "on" ]; then >> + iptables -N DROP_HOSTILE >> + iptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-pref= ix "DROP_HOSTILE " >> + >> + iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE >> + iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE >> + iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE >> + iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE >> + >> + iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE" >> + fi >> + >> # P2PBLOCK >> iptables -N P2PBLOCK >> iptables -A INPUT -j P2PBLOCK >> --=20 >> 2.26.2 >=20 --===============6797400792665033259==--