Hello, I would like to make it short since I already said how much I like this on the video call… Please see my replies to the individual patches. -Michael > On 18 Dec 2021, at 13:46, Peter Müller wrote: > > This patchset improves IPFire's firewall engine by... > > (a) improved logging of spoofed packets and martians > > (b) prevention of spoofing attempts on RED's interface IP address > > (c) dropping traffic from and to networks known to pose a technical threat to > IPFire users (see https://git.ipfire.org/?p=location/libloc.git;a=commit;h=69b3d894fbee6e94afc2a79593f7f6b300b88c10 > for details) by default on new installations, doing so in a dedicated, easy > to configure IPtables chain. > Sadly, a decent fraction of our userbase does not bother creating any firewall > rules at all, so any outbound traffic is allowed on their networks. Therefore, > preventing them from reaching the "baddest of the bad" makes sense for a basic > detection of their devices and networks. > Any sane IPS configuration would already cover the networks in question, so > most IPFire machines running a decent IPS policy will already drop the offending > traffic, albeit in a rather costly way. > > Please note this patchset needs additional commits for the Core Update it is > intended to go to, such as shipping the changed files, and adding sane defaults > to existing installations in /var/ipfire/optionsfw/settings. > > See also: #12031 > > Peter Müller (11): > firewall: Log packets dropped due to conntrack INVALID state > firewall: Accept inbound Tor traffic before applying the location > filter > firewall: Log and drop spoofed loopback packets > firewall: Prevent spoofing our own RED IP address > firewall: Introduce DROP_HOSTILE > optionsfw.cgi: Make logging of spoofed/martians packets and the > DROP_HOSTILE filter configurable > Update German and English translation files > collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN} > graphs.pl: Display spoofed and hostile traffic in firewall hits > diagram as well > configroot: Enable logging of spoofed packets/martians by default > configroot: Drop traffic from and to hostile networks by default > > config/cfgroot/graphs.pl | 22 ++++++-- > config/collectd/collectd.conf | 2 + > html/cgi-bin/optionsfw.cgi | 96 +++++++++++++++++++++++++++------ > langs/de/cgi-bin/de.pl | 9 +++- > langs/en/cgi-bin/en.pl | 7 ++- > lfs/configroot | 4 +- > src/initscripts/system/firewall | 63 +++++++++++++++++----- > 7 files changed, 166 insertions(+), 37 deletions(-) > > -- > 2.26.2