From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] firewall: accept inbound Tor traffic before applying GeoIP
Date: Thu, 04 Jul 2019 19:23:35 +0100 [thread overview]
Message-ID: <2B4EF8AA-BAF3-473F-92C9-4759D4234211@ipfire.org> (raw)
In-Reply-To: <f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 1620 bytes --]
Hi,
I am not sure if I agree.
Not because this does not make sense technologically but in the documentation we have always said that the GeoIP filter comes first and drops all traffic that isn’t permitted here.
Can we make sure that we update this accordingly?
-Michael
> On 4 Jul 2019, at 18:43, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Inbound Tor traffic conflicts with GeoIP block as inbound connections
> have to be accepted from many parts of the world. To solve this,
> inbound Tor traffic has to be accepted before jumping into GeoIP block
> chain.
>
> Note this affects Tor relay operators only.
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index b3483a744..e4b29da28 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -269,6 +269,10 @@ iptables_init() {
> iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
> fi
>
> + # Tor (inbound)
> + iptables -N TOR_INPUT
> + iptables -A INPUT -j TOR_INPUT
> +
> # GeoIP block
> iptables -N GEOIPBLOCK
> iptables -A INPUT -j GEOIPBLOCK
> @@ -302,9 +306,7 @@ iptables_init() {
> iptables -N OVPNINPUT
> iptables -A INPUT -j OVPNINPUT
>
> - # Tor (inbound and outbound)
> - iptables -N TOR_INPUT
> - iptables -A INPUT -j TOR_INPUT
> + # Tor (outbound)
> iptables -N TOR_OUTPUT
> iptables -A OUTPUT -j TOR_OUTPUT
>
> --
> 2.16.4
>
prev parent reply other threads:[~2019-07-04 18:23 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-04 17:43 Peter Müller
2019-07-04 18:23 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2B4EF8AA-BAF3-473F-92C9-4759D4234211@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox