From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH] firewall: Reject outgoing TCP connections to port 25 by default Date: Sat, 04 Nov 2023 17:35:00 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1502308936391441189==" List-Id: --===============1502308936391441189== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This will affect new IPFire installations only, implementing a long-standing BCP for preemptively combating botnet spam. Reject is chosen over drop to reduce the likelihood for confusion during network troubleshooting. Cc: Michael Tremer Signed-off-by: Peter M=C3=BCller Tested-by: Peter M=C3=BCller --- config/firewall/config | 1 + lfs/configroot | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 config/firewall/config diff --git a/config/firewall/config b/config/firewall/config new file mode 100644 index 000000000..c871576f2 --- /dev/null +++ b/config/firewall/config @@ -0,0 +1 @@ +1,REJECT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,RED,,TCP,,,ON,,,cust_srv,S= MTP,Block port 25 (TCP) for outgoing connections to the internet,,,,,,,,,,00:= 00,00:00,,AUTO,,dnat,,,,,second diff --git a/lfs/configroot b/lfs/configroot index 2c09ae4a8..66efe04b5 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2022 IPFire Team = # +# Copyright (C) 2007-2023 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -64,7 +64,7 @@ $(TARGET) : for i in auth/users backup/include.user backup/exclude.user \ captive/settings captive/agb.txt captive/clients captive/voucher_out ce= rts/index.txt certs/index.txt.attr ddns/config ddns/settings ddns/ipcache dhc= p/settings \ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dns/s= ervers dnsforward/config ethernet/aliases ethernet/settings ethernet/known_ni= cs ethernet/scanned_nics \ - ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extra= hd/settings firewall/settings firewall/config firewall/locationblock firewall= /input firewall/outgoing \ + ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extra= hd/settings firewall/settings firewall/locationblock firewall/input firewall/= outgoing \ fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts= /customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsett= ings ipblocklist/modified \ ipblocklist/settings mac/settings main/hosts main/routing main/security= main/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/conf= ig ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ @@ -102,6 +102,7 @@ $(TARGET) : cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/setti= ngs cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/ + cp $(DIR_SRC)/config/firewall/config $(CONFIG_ROOT)/firewall/config cp $(DIR_SRC)/config/firewall/convert-xtaccess /usr/sbin/convert-xtaccess cp $(DIR_SRC)/config/firewall/convert-outgoingfw /usr/sbin/convert-outgoing= fw cp $(DIR_SRC)/config/firewall/convert-dmz /usr/sbin/convert-dmz --=20 2.35.3 --===============1502308936391441189==--