* [PATCH] firewall: accept inbound Tor traffic before applying GeoIP
@ 2019-07-04 17:43 Peter Müller
2019-07-04 18:23 ` Michael Tremer
0 siblings, 1 reply; 2+ messages in thread
From: Peter Müller @ 2019-07-04 17:43 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1140 bytes --]
Inbound Tor traffic conflicts with GeoIP block as inbound connections
have to be accepted from many parts of the world. To solve this,
inbound Tor traffic has to be accepted before jumping into GeoIP block
chain.
Note this affects Tor relay operators only.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
src/initscripts/system/firewall | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index b3483a744..e4b29da28 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -269,6 +269,10 @@ iptables_init() {
iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
fi
+ # Tor (inbound)
+ iptables -N TOR_INPUT
+ iptables -A INPUT -j TOR_INPUT
+
# GeoIP block
iptables -N GEOIPBLOCK
iptables -A INPUT -j GEOIPBLOCK
@@ -302,9 +306,7 @@ iptables_init() {
iptables -N OVPNINPUT
iptables -A INPUT -j OVPNINPUT
- # Tor (inbound and outbound)
- iptables -N TOR_INPUT
- iptables -A INPUT -j TOR_INPUT
+ # Tor (outbound)
iptables -N TOR_OUTPUT
iptables -A OUTPUT -j TOR_OUTPUT
--
2.16.4
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] firewall: accept inbound Tor traffic before applying GeoIP
2019-07-04 17:43 [PATCH] firewall: accept inbound Tor traffic before applying GeoIP Peter Müller
@ 2019-07-04 18:23 ` Michael Tremer
0 siblings, 0 replies; 2+ messages in thread
From: Michael Tremer @ 2019-07-04 18:23 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1620 bytes --]
Hi,
I am not sure if I agree.
Not because this does not make sense technologically but in the documentation we have always said that the GeoIP filter comes first and drops all traffic that isn’t permitted here.
Can we make sure that we update this accordingly?
-Michael
> On 4 Jul 2019, at 18:43, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Inbound Tor traffic conflicts with GeoIP block as inbound connections
> have to be accepted from many parts of the world. To solve this,
> inbound Tor traffic has to be accepted before jumping into GeoIP block
> chain.
>
> Note this affects Tor relay operators only.
>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index b3483a744..e4b29da28 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -269,6 +269,10 @@ iptables_init() {
> iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
> fi
>
> + # Tor (inbound)
> + iptables -N TOR_INPUT
> + iptables -A INPUT -j TOR_INPUT
> +
> # GeoIP block
> iptables -N GEOIPBLOCK
> iptables -A INPUT -j GEOIPBLOCK
> @@ -302,9 +306,7 @@ iptables_init() {
> iptables -N OVPNINPUT
> iptables -A INPUT -j OVPNINPUT
>
> - # Tor (inbound and outbound)
> - iptables -N TOR_INPUT
> - iptables -A INPUT -j TOR_INPUT
> + # Tor (outbound)
> iptables -N TOR_OUTPUT
> iptables -A OUTPUT -j TOR_OUTPUT
>
> --
> 2.16.4
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-07-04 18:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-04 17:43 [PATCH] firewall: accept inbound Tor traffic before applying GeoIP Peter Müller
2019-07-04 18:23 ` Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox