* [PATCH] firewall: Reject outgoing TCP connections to port 25 by default
@ 2023-11-04 17:35 Peter Müller
2023-11-05 13:17 ` Michael Tremer
0 siblings, 1 reply; 2+ messages in thread
From: Peter Müller @ 2023-11-04 17:35 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3513 bytes --]
This will affect new IPFire installations only, implementing a
long-standing BCP for preemptively combating botnet spam. Reject is
chosen over drop to reduce the likelihood for confusion during network
troubleshooting.
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Tested-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/firewall/config | 1 +
lfs/configroot | 5 +++--
2 files changed, 4 insertions(+), 2 deletions(-)
create mode 100644 config/firewall/config
diff --git a/config/firewall/config b/config/firewall/config
new file mode 100644
index 000000000..c871576f2
--- /dev/null
+++ b/config/firewall/config
@@ -0,0 +1 @@
+1,REJECT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,RED,,TCP,,,ON,,,cust_srv,SMTP,Block port 25 (TCP) for outgoing connections to the internet,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second
diff --git a/lfs/configroot b/lfs/configroot
index 2c09ae4a8..66efe04b5 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2022 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -64,7 +64,7 @@ $(TARGET) :
for i in auth/users backup/include.user backup/exclude.user \
captive/settings captive/agb.txt captive/clients captive/voucher_out certs/index.txt certs/index.txt.attr ddns/config ddns/settings ddns/ipcache dhcp/settings \
dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dns/servers dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
- ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/locationblock firewall/input firewall/outgoing \
+ ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/locationblock firewall/input firewall/outgoing \
fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsettings ipblocklist/modified \
ipblocklist/settings mac/settings main/hosts main/routing main/security main/settings optionsfw/settings \
ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
@@ -102,6 +102,7 @@ $(TARGET) :
cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings
cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans
cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
+ cp $(DIR_SRC)/config/firewall/config $(CONFIG_ROOT)/firewall/config
cp $(DIR_SRC)/config/firewall/convert-xtaccess /usr/sbin/convert-xtaccess
cp $(DIR_SRC)/config/firewall/convert-outgoingfw /usr/sbin/convert-outgoingfw
cp $(DIR_SRC)/config/firewall/convert-dmz /usr/sbin/convert-dmz
--
2.35.3
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] firewall: Reject outgoing TCP connections to port 25 by default
2023-11-04 17:35 [PATCH] firewall: Reject outgoing TCP connections to port 25 by default Peter Müller
@ 2023-11-05 13:17 ` Michael Tremer
0 siblings, 0 replies; 2+ messages in thread
From: Michael Tremer @ 2023-11-05 13:17 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3955 bytes --]
Hello Peter,
Thanks for the patch.
In rather inconvenient timing, I branched the update yesterday, so this will be part of the next update.
It would also be great to gather some more feedback from the community to see how they are feeling about more pre-configuration.
Best,
-Michael
> On 4 Nov 2023, at 17:35, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> This will affect new IPFire installations only, implementing a
> long-standing BCP for preemptively combating botnet spam. Reject is
> chosen over drop to reduce the likelihood for confusion during network
> troubleshooting.
>
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> Tested-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/firewall/config | 1 +
> lfs/configroot | 5 +++--
> 2 files changed, 4 insertions(+), 2 deletions(-)
> create mode 100644 config/firewall/config
>
> diff --git a/config/firewall/config b/config/firewall/config
> new file mode 100644
> index 000000000..c871576f2
> --- /dev/null
> +++ b/config/firewall/config
> @@ -0,0 +1 @@
> +1,REJECT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,RED,,TCP,,,ON,,,cust_srv,SMTP,Block port 25 (TCP) for outgoing connections to the internet,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second
> diff --git a/lfs/configroot b/lfs/configroot
> index 2c09ae4a8..66efe04b5 100644
> --- a/lfs/configroot
> +++ b/lfs/configroot
> @@ -1,7 +1,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2007-2022 IPFire Team <info(a)ipfire.org> #
> +# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -64,7 +64,7 @@ $(TARGET) :
> for i in auth/users backup/include.user backup/exclude.user \
> captive/settings captive/agb.txt captive/clients captive/voucher_out certs/index.txt certs/index.txt.attr ddns/config ddns/settings ddns/ipcache dhcp/settings \
> dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dns/servers dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
> - ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/locationblock firewall/input firewall/outgoing \
> + ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/locationblock firewall/input firewall/outgoing \
> fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsettings ipblocklist/modified \
> ipblocklist/settings mac/settings main/hosts main/routing main/security main/settings optionsfw/settings \
> ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
> @@ -102,6 +102,7 @@ $(TARGET) :
> cp $(DIR_SRC)/config/cfgroot/logging-settings $(CONFIG_ROOT)/logging/settings
> cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans
> cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
> + cp $(DIR_SRC)/config/firewall/config $(CONFIG_ROOT)/firewall/config
> cp $(DIR_SRC)/config/firewall/convert-xtaccess /usr/sbin/convert-xtaccess
> cp $(DIR_SRC)/config/firewall/convert-outgoingfw /usr/sbin/convert-outgoingfw
> cp $(DIR_SRC)/config/firewall/convert-dmz /usr/sbin/convert-dmz
> --
> 2.35.3
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-11-05 13:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-04 17:35 [PATCH] firewall: Reject outgoing TCP connections to port 25 by default Peter Müller
2023-11-05 13:17 ` Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox