From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 05/11] firewall: Introduce DROP_HOSTILE Date: Fri, 07 Jan 2022 17:04:58 +0000 Message-ID: <714365FA-2D67-41F7-97EF-21FFD3B487AC@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7556172174039353710==" List-Id: --===============7556172174039353710== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, I told you that you will need to export the lists before you can load them, b= ut that seems to have been incorrect. Whenever we download the database, we extract everything: https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dblob;f=3Dsrc/scripts/update-= location-database;h=3D06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=3DHEAD So this should always work. -Michael > On 18 Dec 2021, at 13:48, Peter M=C3=BCller wr= ote: >=20 > Similar to the Location block, this chain logs and drops all traffic > from and to networks known to pose technical threats to IPFire users. >=20 > Doing so in a dedicated chain makes sense for transparency reasons, as > we won't interfer with other firewall rules or the Location block, so it > is always clear why a packet from or to such a network has been dropped. >=20 > Signed-off-by: Peter M=C3=BCller > --- > src/initscripts/system/firewall | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) >=20 > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew= all > index 9e62c0245..ebc8168ae 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -139,6 +139,20 @@ iptables_init() { > iptables -t nat -N CUSTOMPOSTROUTING > iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING >=20 > + # Log and drop any traffic from and to networks known as being hostile, p= osing > + # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) > + if [ "$DROPHOSTILE" =3D=3D "on" ]; then > + iptables -N DROP_HOSTILE > + iptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefi= x "DROP_HOSTILE " > + > + iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE > + iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE > + iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE > + iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE > + > + iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE" > + fi > + > # P2PBLOCK > iptables -N P2PBLOCK > iptables -A INPUT -j P2PBLOCK > --=20 > 2.26.2 --===============7556172174039353710==--