From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bernhard Bitsch <bbitsch@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v3 2/7] rules.pl: Fixes bug12981 - Add in and out specific
 actions for drop hostile
Date: Mon, 22 Jan 2024 11:48:41 +0100
Message-ID: <964ac38f-77ab-47fb-8887-e681cea8d88a@ipfire.org>
In-Reply-To: <20240121114553.5182-2-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0880029209713907862=="
List-Id: <development.lists.ipfire.org>

--===============0880029209713907862==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
Acked-by: Bernhard Bitsch <bbitsch(a)ipfire.org>

Am 21.01.2024 um 12:45 schrieb Adolf Belka:
> - This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming=
 traffic and
>     HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be =
taken on each
>     independently.
>=20
> Fixes: bug12981
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>   config/firewall/rules.pl | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
>=20
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 7edb910e2..a47c260a1 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -2,7 +2,7 @@
>   #########################################################################=
######
>   #                                                                        =
     #
>   # IPFire.org - A linux based firewall                                    =
     #
> -# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>               =
      #
> +# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>               =
      #
>   #                                                                        =
     #
>   # This program is free software: you can redistribute it and/or modify   =
     #
>   # it under the terms of the GNU General Public License as published by   =
     #
> @@ -726,8 +726,8 @@ sub drop_hostile_networks () {
>   	&ipset_restore($HOSTILE_CCODE);
>  =20
>   	# Check traffic in incoming/outgoing direction and drop if it matches
> -	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE s=
rc -j HOSTILE_DROP");
> -	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE d=
st -j HOSTILE_DROP");
> +	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE s=
rc -j HOSTILE_DROP_IN");
> +	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE d=
st -j HOSTILE_DROP_OUT");
>   }
>  =20
>   sub ipblocklist () {

--===============0880029209713907862==--