From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 02/11] firewall: Accept inbound Tor traffic before applying the location filter Date: Sat, 18 Dec 2021 14:47:56 +0100 Message-ID: <4347b799-f863-9870-50d2-683b8c078670@ipfire.org> In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1578113017597720681==" List-Id: --===============1578113017597720681== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Inbound Tor traffic conflicts with Location block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into Location block chain. Note this affects Tor relay operators only. Rolled forward as ongoing from https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f2= 4c354cd90(a)ipfire.org/, note the documentation in the wiki needs to be updated once this landed in production. Signed-off-by: Peter M=C3=BCller --- src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 49c6b7bf9..cc5baa292 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -227,6 +227,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi =20 + # Tor (inbound) + iptables -N TOR_INPUT + iptables -A INPUT -j TOR_INPUT + # Location Block iptables -N LOCATIONBLOCK iptables -A INPUT -j LOCATIONBLOCK @@ -260,9 +264,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT =20 - # Tor (inbound and outbound) - iptables -N TOR_INPUT - iptables -A INPUT -j TOR_INPUT + # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT =20 --=20 2.26.2 --===============1578113017597720681==--