Hello,

Can we make sure this is well documented somewhere?

Generally we said that the location filter comes first and this will change that behaviour.

Best,
-Michael

> On 18 Dec 2021, at 13:47, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Inbound Tor traffic conflicts with Location block as inbound connections
> have to be accepted from many parts of the world. To solve this,
> inbound Tor traffic has to be accepted before jumping into Location block
> chain.
> 
> Note this affects Tor relay operators only.
> 
> Rolled forward as ongoing from
> https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90(a)ipfire.org/,
> note the documentation in the wiki needs to be updated once this landed
> in production.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 49c6b7bf9..cc5baa292 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -227,6 +227,10 @@ iptables_init() {
> 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
> 	fi
> 
> +	# Tor (inbound)
> +	iptables -N TOR_INPUT
> +	iptables -A INPUT -j TOR_INPUT
> +
> 	# Location Block
> 	iptables -N LOCATIONBLOCK
> 	iptables -A INPUT -j LOCATIONBLOCK
> @@ -260,9 +264,7 @@ iptables_init() {
> 	iptables -N OVPNINPUT
> 	iptables -A INPUT -j OVPNINPUT
> 
> -	# Tor (inbound and outbound)
> -	iptables -N TOR_INPUT
> -	iptables -A INPUT -j TOR_INPUT
> +	# Tor (outbound)
> 	iptables -N TOR_OUTPUT
> 	iptables -A OUTPUT -j TOR_OUTPUT
> 
> -- 
> 2.26.2