From mboxrd@z Thu Jan  1 00:00:00 1970
From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Firewall initscript: Restore Tor IPTable rules by manual
 firewall restart
Date: Tue, 16 Jan 2024 19:47:18 +0000
Message-ID: <8ac9d6b7ce00e20bcb68171bfc41c36a7c187b66.camel@ipfire.org>
In-Reply-To: <83E4DAD9-4F85-4744-A5C1-C2D799304BC0@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3825368125662698881=="
List-Id: <development.lists.ipfire.org>

--===============3825368125662698881==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hope it matches all the needs.

Best,

Erik

Am Dienstag, dem 16.01.2024 um 15:17 +0000 schrieb Michael Tremer:
>=20
>=20
> > On 16 Jan 2024, at 15:16, ummeegge <ummeegge(a)ipfire.org> wrote:
> >=20
> > Hi Michael,
> >=20
> > Am Dienstag, dem 16.01.2024 um 15:11 +0000 schrieb Michael Tremer:
> > > Hello Erik,
> > >=20
> > > Thank you for the patch.
> > >=20
> > > > On 16 Jan 2024, at 15:07, Erik Kapfer <erik.kapfer(a)ipfire.org>
> > > > wrote:
> > > >=20
> > > > If the firewall will be manually restart via
> > > > '/etc/init.d/firewall
> > > > restart',
> > > > the IPTable rules for the Tor relay will be deleted since
> > > > 'iptables_init' only
> > > > flushes and creates inbound and unbound chains for Tor but does
> > > > not
> > > > restore the
> > > > ruleset from Tor initscript.
> > > >=20
> > > > For reference and tests please see -->
> > > > https://community.ipfire.org/t/tor-stop-working-without-stop-the-proc=
ess-or-give-an-error-message/10697
> > > >=20
> > > > Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> > > > ---
> > > > src/initscripts/system/firewall | 6 ++++++
> > > > 1 file changed, 6 insertions(+)
> > > >=20
> > > > diff --git a/src/initscripts/system/firewall
> > > > b/src/initscripts/system/firewall
> > > > index 50f2b3e02..50a7f2db9 100644
> > > > --- a/src/initscripts/system/firewall
> > > > +++ b/src/initscripts/system/firewall
> > > > @@ -25,6 +25,7 @@
> > > > eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
> > > > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
> > > > eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
> > > > +eval $(/usr/local/bin/readhash /var/ipfire/tor/settings)
> > >=20
> > > Is this file available even when Tor is not installed?
> > >=20
> > > We might get an error message here if it does not exist.
> > That=C2=B4s a bad one, you are absolutely right! Since this is the
> > firewall
> > script, which way do you prefere in here ?
>=20
> You can simply wrap the line in an if statement checking if the file
> is readable:
>=20
> =C2=A0 if [ -r =E2=80=9C/var/ipfire/tor/settings=E2=80=9D ]; then
> =C2=A0=C2=A0=C2=A0 eval =E2=80=A6
> =C2=A0 fi
>=20
> The rest can stay as is.
>=20
> >=20
> >=20
> > >=20
> > > > IFACE=3D`/bin/cat /var/ipfire/red/iface 2> /dev/null |
> > > > /usr/bin/tr -d
> > > > '\012'`
> > > > if [ -z $IFACE ]; then
> > > > IFACE=3D"red0"
> > > > @@ -387,6 +388,11 @@ iptables_init() {
> > > > # run captivectrl
> > > > /usr/local/bin/captivectrl
> > > >=20
> > > > + # If a Tor relay is enabled apply firewall rules
> > > > + if [ "${TOR_RELAY_ENABLED}" =3D "on" -a -n "${TOR_RELAY_PORT}"
> > > > ];
> > > > then
> > > > + /usr/local/bin/torctrl restart 1> /dev/null
> > > > + fi
> > > > +
> > > > # POLICY CHAIN
> > > > iptables -N POLICYIN
> > > > iptables -A INPUT -j POLICYIN
> > > > --=20
> > > > 2.43.0
> > > >=20
> > >=20
> >=20
>=20


--===============3825368125662698881==--