From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] firewall: accept inbound Tor traffic before applying GeoIP Date: Thu, 04 Jul 2019 19:23:35 +0100 Message-ID: <2B4EF8AA-BAF3-473F-92C9-4759D4234211@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1117463230077199241==" List-Id: --===============1117463230077199241== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, I am not sure if I agree. Not because this does not make sense technologically but in the documentation= we have always said that the GeoIP filter comes first and drops all traffic = that isn=E2=80=99t permitted here. Can we make sure that we update this accordingly? -Michael > On 4 Jul 2019, at 18:43, Peter M=C3=BCller wro= te: >=20 > Inbound Tor traffic conflicts with GeoIP block as inbound connections > have to be accepted from many parts of the world. To solve this, > inbound Tor traffic has to be accepted before jumping into GeoIP block > chain. >=20 > Note this affects Tor relay operators only. >=20 > Signed-off-by: Peter M=C3=BCller > --- > src/initscripts/system/firewall | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) >=20 > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew= all > index b3483a744..e4b29da28 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -269,6 +269,10 @@ iptables_init() { > iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT > fi >=20 > + # Tor (inbound) > + iptables -N TOR_INPUT > + iptables -A INPUT -j TOR_INPUT > + > # GeoIP block > iptables -N GEOIPBLOCK > iptables -A INPUT -j GEOIPBLOCK > @@ -302,9 +306,7 @@ iptables_init() { > iptables -N OVPNINPUT > iptables -A INPUT -j OVPNINPUT >=20 > - # Tor (inbound and outbound) > - iptables -N TOR_INPUT > - iptables -A INPUT -j TOR_INPUT > + # Tor (outbound) > iptables -N TOR_OUTPUT > iptables -A OUTPUT -j TOR_OUTPUT > =09 > --=20 > 2.16.4 >=20 --===============1117463230077199241==--