Peter,
Well, there is a diagram at the bottom of https://wiki.ipfire.org/configuration/firewall/iptables, which will need to be updated. However, it currently still says "GEOIPBLOCK" instead of "LOCATIONBLOCK", so it's outdated anyway, and I don't know what source it is generated from.
It is from H&M https://community.ipfire.org/u/hjkl @hjkl: https://community.ipfire.org/t/location-block-filter-strictly-before-fw-inpu... https://community.ipfire.org/t/location-block-filter-strictly-before-fw-input/3870/11?u=jon
Jon
On Jan 8, 2022, at 5:38 AM, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thanks for your reply.
Well, there is a diagram at the bottom of https://wiki.ipfire.org/configuration/firewall/iptables, which will need to be updated. However, it currently still says "GEOIPBLOCK" instead of "LOCATIONBLOCK", so it's outdated anyway, and I don't know what source it is generated from.
Aside from that, mentioning the change on https://wiki.ipfire.org/configuration/firewall/geoip-block needs to be done. I can take care of this.
Thanks, and best regards, Peter Müller
Hello,
Can we make sure this is well documented somewhere?
Generally we said that the location filter comes first and this will change that behaviour.
Best, -Michael
On 18 Dec 2021, at 13:47, Peter Müller peter.mueller@ipfire.org wrote:
Inbound Tor traffic conflicts with Location block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into Location block chain.
Note this affects Tor relay operators only.
Rolled forward as ongoing from https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f..., note the documentation in the wiki needs to be updated once this landed in production.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 49c6b7bf9..cc5baa292 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -227,6 +227,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi
- # Tor (inbound)
- iptables -N TOR_INPUT
- iptables -A INPUT -j TOR_INPUT
- # Location Block iptables -N LOCATIONBLOCK iptables -A INPUT -j LOCATIONBLOCK
@@ -260,9 +264,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT
- # Tor (inbound and outbound)
- iptables -N TOR_INPUT
- iptables -A INPUT -j TOR_INPUT
- # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT
-- 2.26.2