Inbound Tor traffic conflicts with Location block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into Location block chain.
Note this affects Tor relay operators only.
Rolled forward as ongoing from https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f..., note the documentation in the wiki needs to be updated once this landed in production.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 49c6b7bf9..cc5baa292 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -227,6 +227,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi
+ # Tor (inbound) + iptables -N TOR_INPUT + iptables -A INPUT -j TOR_INPUT + # Location Block iptables -N LOCATIONBLOCK iptables -A INPUT -j LOCATIONBLOCK @@ -260,9 +264,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT
- # Tor (inbound and outbound) - iptables -N TOR_INPUT - iptables -A INPUT -j TOR_INPUT + # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT