[PATCH] firewall: Reject outgoing TCP connections to port 25 by default

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] firewall: Reject outgoing TCP connections to port 25 by default
Date: Sat, 04 Nov 2023 17:35:00 +0000	[thread overview]
Message-ID: <f61bc590-4964-48b2-b48e-d7243b78a369@ipfire.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 3513 bytes --]

This will affect new IPFire installations only, implementing a
long-standing BCP for preemptively combating botnet spam. Reject is
chosen over drop to reduce the likelihood for confusion during network
troubleshooting.

Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Tested-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/firewall/config | 1 +
 lfs/configroot         | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 config/firewall/config

diff --git a/config/firewall/config b/config/firewall/config
new file mode 100644
index 000000000..c871576f2
--- /dev/null
+++ b/config/firewall/config
@@ -0,0 +1 @@
+1,REJECT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,RED,,TCP,,,ON,,,cust_srv,SMTP,Block port 25 (TCP) for outgoing connections to the internet,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second
diff --git a/lfs/configroot b/lfs/configroot
index 2c09ae4a8..66efe04b5 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2022  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2023  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -64,7 +64,7 @@ $(TARGET) :
 	for i in auth/users backup/include.user backup/exclude.user \
 	    captive/settings captive/agb.txt captive/clients captive/voucher_out certs/index.txt certs/index.txt.attr ddns/config ddns/settings ddns/ipcache dhcp/settings \
 	    dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dns/servers dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
-	    ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/locationblock firewall/input firewall/outgoing \
+	    ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/locationblock firewall/input firewall/outgoing \
 	    fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsettings ipblocklist/modified \
 	    ipblocklist/settings mac/settings main/hosts main/routing main/security main/settings optionsfw/settings \
 	    ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
@@ -102,6 +102,7 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/cfgroot/logging-settings		$(CONFIG_ROOT)/logging/settings
 	cp $(DIR_SRC)/config/cfgroot/ethernet-vlans		$(CONFIG_ROOT)/ethernet/vlans
 	cp $(DIR_SRC)/langs/list				$(CONFIG_ROOT)/langs/
+	cp $(DIR_SRC)/config/firewall/config			$(CONFIG_ROOT)/firewall/config
 	cp $(DIR_SRC)/config/firewall/convert-xtaccess		/usr/sbin/convert-xtaccess
 	cp $(DIR_SRC)/config/firewall/convert-outgoingfw	/usr/sbin/convert-outgoingfw
 	cp $(DIR_SRC)/config/firewall/convert-dmz		/usr/sbin/convert-dmz
-- 
2.35.3

next             reply	other threads:[~2023-11-04 17:35 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-04 17:35 Peter Müller [this message]
2023-11-05 13:17 ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f61bc590-4964-48b2-b48e-d7243b78a369@ipfire.org \
    --to=peter.mueller@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox