Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 27 Jan 2020, at 15:04, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or
> OpenVPN) destinations was emitted to the internet (ppp0 or red0
> interface) directly if the IPS was enabled but crashed during operation.
> 
> This patch places the IPSECBLOCK and OVPNBLOCK chains before the
> ones responsible for forwarding traffic into the IPS.
> 
> Thanks to Michael for his debugging effort.
> 
> Partially fixes #12257
> 
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index ec396c708..ab144ea18 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -185,14 +185,6 @@ iptables_init() {
> 	iptables -A INPUT -j GUARDIAN
> 	iptables -A FORWARD -j GUARDIAN
> 
> -	# IPS (suricata) chains
> -	iptables -N IPS_INPUT
> -	iptables -N IPS_FORWARD
> -	iptables -N IPS_OUTPUT
> -	iptables -A INPUT -j IPS_INPUT
> -	iptables -A FORWARD -j IPS_FORWARD
> -	iptables -A OUTPUT -j IPS_OUTPUT
> -
> 	# Block non-established IPsec networks
> 	iptables -N IPSECBLOCK
> 	iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
> @@ -204,6 +196,14 @@ iptables_init() {
> 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
> 	iptables -A FORWARD -o tun+ -j OVPNBLOCK
> 
> +	# IPS (suricata) chains
> +	iptables -N IPS_INPUT
> +	iptables -N IPS_FORWARD
> +	iptables -N IPS_OUTPUT
> +	iptables -A INPUT -j IPS_INPUT
> +	iptables -A FORWARD -j IPS_FORWARD
> +	iptables -A OUTPUT -j IPS_OUTPUT
> +
> 	# OpenVPN transfer network translation
> 	iptables -t nat -N OVPNNAT
> 	iptables -t nat -A POSTROUTING -j OVPNNAT
> -- 
> 2.16.4