From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Firewall initscript: Restore Tor IPTable rules by manual firewall restart
Date: Tue, 16 Jan 2024 15:16:15 +0000 [thread overview]
Message-ID: <ae2a72dbdbce230c87283614b5c4cb8be38732da.camel@ipfire.org> (raw)
In-Reply-To: <717E2D7F-41C5-490E-990D-256B754B9E02@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2150 bytes --]
Hi Michael,
Am Dienstag, dem 16.01.2024 um 15:11 +0000 schrieb Michael Tremer:
> Hello Erik,
>
> Thank you for the patch.
>
> > On 16 Jan 2024, at 15:07, Erik Kapfer <erik.kapfer(a)ipfire.org>
> > wrote:
> >
> > If the firewall will be manually restart via '/etc/init.d/firewall
> > restart',
> > the IPTable rules for the Tor relay will be deleted since
> > 'iptables_init' only
> > flushes and creates inbound and unbound chains for Tor but does not
> > restore the
> > ruleset from Tor initscript.
> >
> > For reference and tests please see -->
> > https://community.ipfire.org/t/tor-stop-working-without-stop-the-process-or-give-an-error-message/10697
> >
> > Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> > ---
> > src/initscripts/system/firewall | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/src/initscripts/system/firewall
> > b/src/initscripts/system/firewall
> > index 50f2b3e02..50a7f2db9 100644
> > --- a/src/initscripts/system/firewall
> > +++ b/src/initscripts/system/firewall
> > @@ -25,6 +25,7 @@
> > eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
> > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
> > eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
> > +eval $(/usr/local/bin/readhash /var/ipfire/tor/settings)
>
> Is this file available even when Tor is not installed?
>
> We might get an error message here if it does not exist.
That´s a bad one, you are absolutely right! Since this is the firewall
script, which way do you prefere in here ?
>
> > IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d
> > '\012'`
> > if [ -z $IFACE ]; then
> > IFACE="red0"
> > @@ -387,6 +388,11 @@ iptables_init() {
> > # run captivectrl
> > /usr/local/bin/captivectrl
> >
> > + # If a Tor relay is enabled apply firewall rules
> > + if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ];
> > then
> > + /usr/local/bin/torctrl restart 1> /dev/null
> > + fi
> > +
> > # POLICY CHAIN
> > iptables -N POLICYIN
> > iptables -A INPUT -j POLICYIN
> > --
> > 2.43.0
> >
>
next prev parent reply other threads:[~2024-01-16 15:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-16 15:08 Erik Kapfer
2024-01-16 15:11 ` Michael Tremer
2024-01-16 15:16 ` ummeegge [this message]
2024-01-16 15:17 ` Michael Tremer
2024-01-16 19:47 ` ummeegge
2024-01-16 15:27 ` [PATCH v2] " Erik Kapfer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ae2a72dbdbce230c87283614b5c4cb8be38732da.camel@ipfire.org \
--to=ummeegge@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox