From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] firewall: Reject outgoing TCP connections to port 25 by default Date: Sun, 05 Nov 2023 13:17:38 +0000 Message-ID: <79A7B271-9BC0-4CAE-A449-4D8BF7408766@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9136581654839245946==" List-Id: --===============9136581654839245946== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Peter, Thanks for the patch. In rather inconvenient timing, I branched the update yesterday, so this will = be part of the next update. It would also be great to gather some more feedback from the community to see= how they are feeling about more pre-configuration. Best, -Michael > On 4 Nov 2023, at 17:35, Peter M=C3=BCller wro= te: >=20 > This will affect new IPFire installations only, implementing a > long-standing BCP for preemptively combating botnet spam. Reject is > chosen over drop to reduce the likelihood for confusion during network > troubleshooting. >=20 > Cc: Michael Tremer > Signed-off-by: Peter M=C3=BCller > Tested-by: Peter M=C3=BCller > --- > config/firewall/config | 1 + > lfs/configroot | 5 +++-- > 2 files changed, 4 insertions(+), 2 deletions(-) > create mode 100644 config/firewall/config >=20 > diff --git a/config/firewall/config b/config/firewall/config > new file mode 100644 > index 000000000..c871576f2 > --- /dev/null > +++ b/config/firewall/config > @@ -0,0 +1 @@ > +1,REJECT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,RED,,TCP,,,ON,,,cust_srv= ,SMTP,Block port 25 (TCP) for outgoing connections to the internet,,,,,,,,,,0= 0:00,00:00,,AUTO,,dnat,,,,,second > diff --git a/lfs/configroot b/lfs/configroot > index 2c09ae4a8..66efe04b5 100644 > --- a/lfs/configroot > +++ b/lfs/configroot > @@ -1,7 +1,7 @@ > ###########################################################################= #### > # = # > # IPFire.org - A linux based firewall = # > -# Copyright (C) 2007-2022 IPFire Team = # > +# Copyright (C) 2007-2023 IPFire Team = # > # = # > # This program is free software: you can redistribute it and/or modify = # > # it under the terms of the GNU General Public License as published by = # > @@ -64,7 +64,7 @@ $(TARGET) : > for i in auth/users backup/include.user backup/exclude.user \ > captive/settings captive/agb.txt captive/clients captive/voucher_out cer= ts/index.txt certs/index.txt.attr ddns/config ddns/settings ddns/ipcache dhcp= /settings \ > dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dns/se= rvers dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nic= s ethernet/scanned_nics \ > - ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extr= ahd/settings firewall/settings firewall/config firewall/locationblock firewal= l/input firewall/outgoing \ > + ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extr= ahd/settings firewall/settings firewall/locationblock firewall/input firewall= /outgoing \ > fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/= customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsetti= ngs ipblocklist/modified \ > ipblocklist/settings mac/settings main/hosts main/routing main/security = main/settings optionsfw/settings \ > ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/confi= g ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ > @@ -102,6 +102,7 @@ $(TARGET) : > cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settin= gs > cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans > cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ > + cp $(DIR_SRC)/config/firewall/config $(CONFIG_ROOT)/firewall/config > cp $(DIR_SRC)/config/firewall/convert-xtaccess /usr/sbin/convert-xtaccess > cp $(DIR_SRC)/config/firewall/convert-outgoingfw /usr/sbin/convert-outgoing= fw > cp $(DIR_SRC)/config/firewall/convert-dmz /usr/sbin/convert-dmz > --=20 > 2.35.3 >=20 --===============9136581654839245946==--