Hello Michael,

thanks for your reply.

Well, there is a diagram at the bottom of https://wiki.ipfire.org/configuration/firewall/iptables,
which will need to be updated. However, it currently still says "GEOIPBLOCK" instead of "LOCATIONBLOCK",
so it's outdated anyway, and I don't know what source it is generated from.

Aside from that, mentioning the change on https://wiki.ipfire.org/configuration/firewall/geoip-block
needs to be done. I can take care of this.

Thanks, and best regards,
Peter Müller


> Hello,
> 
> Can we make sure this is well documented somewhere?
> 
> Generally we said that the location filter comes first and this will change that behaviour.
> 
> Best,
> -Michael
> 
>> On 18 Dec 2021, at 13:47, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Inbound Tor traffic conflicts with Location block as inbound connections
>> have to be accepted from many parts of the world. To solve this,
>> inbound Tor traffic has to be accepted before jumping into Location block
>> chain.
>>
>> Note this affects Tor relay operators only.
>>
>> Rolled forward as ongoing from
>> https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90(a)ipfire.org/,
>> note the documentation in the wiki needs to be updated once this landed
>> in production.
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> src/initscripts/system/firewall | 8 +++++---
>> 1 file changed, 5 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 49c6b7bf9..cc5baa292 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -227,6 +227,10 @@ iptables_init() {
>> 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
>> 	fi
>>
>> +	# Tor (inbound)
>> +	iptables -N TOR_INPUT
>> +	iptables -A INPUT -j TOR_INPUT
>> +
>> 	# Location Block
>> 	iptables -N LOCATIONBLOCK
>> 	iptables -A INPUT -j LOCATIONBLOCK
>> @@ -260,9 +264,7 @@ iptables_init() {
>> 	iptables -N OVPNINPUT
>> 	iptables -A INPUT -j OVPNINPUT
>>
>> -	# Tor (inbound and outbound)
>> -	iptables -N TOR_INPUT
>> -	iptables -A INPUT -j TOR_INPUT
>> +	# Tor (outbound)
>> 	iptables -N TOR_OUTPUT
>> 	iptables -A OUTPUT -j TOR_OUTPUT
>>
>> -- 
>> 2.26.2
>