Re: [PATCH] location-functions.pl: Recognise XD / LOC_NETWORK_FLAG_DROP

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3491 bytes --]

Hello Michael,

thanks for your reply.

> Thank you.
> 
> Do we want to make this is a more convenient option somewhere in the UI in the future?

Yes. My imagination of bug #12031 is to have three new checkboxes on the firewall options CGI
to drop all traffic from and to
(a) IP networks not being globally routable ("martians")
(b) publicly routable yet unallocated IP networks ("bogons")
(c) and IP networks having the LOC_NETWORK_FLAG_DROP flag set
on the RED interface.

I think it is wise to split this up, since some people might need (a), but not (b) - Arne
told me yesterday some mobile ISPs use public IP space internally -, and might not want
to enable (c) for whatever reason. One size never fits all.

(a) is something we (I) can implement straight away. As soon as this patch has been merged,
(c) is no longer an issue, too. (b) is currently blocked due to bug #12691.

And of course there will be a blog article about this. \o/

Thanks, and best regards,
Peter Müller

> 
> -Michael
> 
> Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
> 
>> On 10 Oct 2021, at 18:13, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> This enables creating firewall rules using the special country code "XD"
>> for hostile networks safe to drop and ipinfo.cgi to display a meaningful
>> text for IP addresses having this flag set.
>>
>> At the moment, the "LOC_NETWORK_FLAG_DROP" is not yet populated, but
>> will be in the future (as soon as libloc 0.9.9 is released and running
>> in production).
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> config/cfgroot/location-functions.pl | 6 ++++--
>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl
>> index fb97eb589..4d44ce24d 100644
>> --- a/config/cfgroot/location-functions.pl
>> +++ b/config/cfgroot/location-functions.pl
>> @@ -2,7 +2,7 @@
>> ###############################################################################
>> #                                                                             #
>> # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
>> +# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
>> #                                                                             #
>> # This program is free software: you can redistribute it and/or modify        #
>> # it under the terms of the GNU General Public License as published by        #
>> @@ -29,6 +29,7 @@ my %not_iso_3166_location = (
>> 	"A1" => "Anonymous Proxy",
>> 	"A2" => "Satellite Provider",
>> 	"A3" => "Worldwide Anycast Instance",
>> +	"XD" => "Hostile networks safe to drop",
>> );
>>
>> # Hash which contains possible network flags and their mapped location codes.
>> @@ -36,10 +37,11 @@ my %network_flags = (
>> 	"LOC_NETWORK_FLAG_ANONYMOUS_PROXY" => "A1",
>> 	"LOC_NETWORK_FLAG_SATELLITE_PROVIDER" => "A2",
>> 	"LOC_NETWORK_FLAG_ANYCAST" => "A3",
>> +	"LOC_NETWORK_FLAG_DROP" => "XD",
>> );
>>
>> # Array which contains special country codes.
>> -my @special_locations = ( "A1", "A2", "A3" );
>> +my @special_locations = ( "A1", "A2", "A3", "XD" );
>>
>> # Directory where the libloc database and keyfile lives.
>> our $location_dir = "/var/lib/location/";
>> -- 
>> 2.26.2
>