Hello,
I told you that you will need to export the lists before you can load them, but that seems to have been incorrect.
Whenever we download the database, we extract everything:
https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-locatio...
So this should always work.
-Michael
On 18 Dec 2021, at 13:48, Peter Müller peter.mueller@ipfire.org wrote:
Similar to the Location block, this chain logs and drops all traffic from and to networks known to pose technical threats to IPFire users.
Doing so in a dedicated chain makes sense for transparency reasons, as we won't interfer with other firewall rules or the Location block, so it is always clear why a packet from or to such a network has been dropped.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 9e62c0245..ebc8168ae 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -139,6 +139,20 @@ iptables_init() { iptables -t nat -N CUSTOMPOSTROUTING iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
- # Log and drop any traffic from and to networks known as being hostile, posing
- # a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
- if [ "$DROPHOSTILE" == "on" ]; then
iptables -N DROP_HOSTILEiptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILEiptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILEiptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILEiptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILEiptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"- fi
- # P2PBLOCK iptables -N P2PBLOCK iptables -A INPUT -j P2PBLOCK
-- 2.26.2