From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Firewall initscript: Restore Tor IPTable rules by manual firewall restart
Date: Tue, 16 Jan 2024 15:17:26 +0000 [thread overview]
Message-ID: <83E4DAD9-4F85-4744-A5C1-C2D799304BC0@ipfire.org> (raw)
In-Reply-To: <ae2a72dbdbce230c87283614b5c4cb8be38732da.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2442 bytes --]
> On 16 Jan 2024, at 15:16, ummeegge <ummeegge(a)ipfire.org> wrote:
>
> Hi Michael,
>
> Am Dienstag, dem 16.01.2024 um 15:11 +0000 schrieb Michael Tremer:
>> Hello Erik,
>>
>> Thank you for the patch.
>>
>>> On 16 Jan 2024, at 15:07, Erik Kapfer <erik.kapfer(a)ipfire.org>
>>> wrote:
>>>
>>> If the firewall will be manually restart via '/etc/init.d/firewall
>>> restart',
>>> the IPTable rules for the Tor relay will be deleted since
>>> 'iptables_init' only
>>> flushes and creates inbound and unbound chains for Tor but does not
>>> restore the
>>> ruleset from Tor initscript.
>>>
>>> For reference and tests please see -->
>>> https://community.ipfire.org/t/tor-stop-working-without-stop-the-process-or-give-an-error-message/10697
>>>
>>> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
>>> ---
>>> src/initscripts/system/firewall | 6 ++++++
>>> 1 file changed, 6 insertions(+)
>>>
>>> diff --git a/src/initscripts/system/firewall
>>> b/src/initscripts/system/firewall
>>> index 50f2b3e02..50a7f2db9 100644
>>> --- a/src/initscripts/system/firewall
>>> +++ b/src/initscripts/system/firewall
>>> @@ -25,6 +25,7 @@
>>> eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
>>> eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
>>> eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>>> +eval $(/usr/local/bin/readhash /var/ipfire/tor/settings)
>>
>> Is this file available even when Tor is not installed?
>>
>> We might get an error message here if it does not exist.
> That´s a bad one, you are absolutely right! Since this is the firewall
> script, which way do you prefere in here ?
You can simply wrap the line in an if statement checking if the file is readable:
if [ -r “/var/ipfire/tor/settings” ]; then
eval …
fi
The rest can stay as is.
>
>
>>
>>> IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d
>>> '\012'`
>>> if [ -z $IFACE ]; then
>>> IFACE="red0"
>>> @@ -387,6 +388,11 @@ iptables_init() {
>>> # run captivectrl
>>> /usr/local/bin/captivectrl
>>>
>>> + # If a Tor relay is enabled apply firewall rules
>>> + if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ];
>>> then
>>> + /usr/local/bin/torctrl restart 1> /dev/null
>>> + fi
>>> +
>>> # POLICY CHAIN
>>> iptables -N POLICYIN
>>> iptables -A INPUT -j POLICYIN
>>> --
>>> 2.43.0
>>>
>>
>
next prev parent reply other threads:[~2024-01-16 15:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-16 15:08 Erik Kapfer
2024-01-16 15:11 ` Michael Tremer
2024-01-16 15:16 ` ummeegge
2024-01-16 15:17 ` Michael Tremer [this message]
2024-01-16 19:47 ` ummeegge
2024-01-16 15:27 ` [PATCH v2] " Erik Kapfer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83E4DAD9-4F85-4744-A5C1-C2D799304BC0@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox