Peter,

Well, there is a diagram at the bottom of https://wiki.ipfire.org/configuration/firewall/iptables,
which will need to be updated. However, it currently still says "GEOIPBLOCK" instead of "LOCATIONBLOCK",
so it's outdated anyway, and I don't know what source it is generated from.

It is from H&M @hjkl:
https://community.ipfire.org/t/location-block-filter-strictly-before-fw-input/3870/11?u=jon


Jon


On Jan 8, 2022, at 5:38 AM, Peter Müller <peter.mueller@ipfire.org> wrote:

Hello Michael,

thanks for your reply.

Well, there is a diagram at the bottom of https://wiki.ipfire.org/configuration/firewall/iptables,
which will need to be updated. However, it currently still says "GEOIPBLOCK" instead of "LOCATIONBLOCK",
so it's outdated anyway, and I don't know what source it is generated from.

Aside from that, mentioning the change on https://wiki.ipfire.org/configuration/firewall/geoip-block
needs to be done. I can take care of this.

Thanks, and best regards,
Peter Müller


Hello,

Can we make sure this is well documented somewhere?

Generally we said that the location filter comes first and this will change that behaviour.

Best,
-Michael

On 18 Dec 2021, at 13:47, Peter Müller <peter.mueller@ipfire.org> wrote:

Inbound Tor traffic conflicts with Location block as inbound connections
have to be accepted from many parts of the world. To solve this,
inbound Tor traffic has to be accepted before jumping into Location block
chain.

Note this affects Tor relay operators only.

Rolled forward as ongoing from
https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org/,
note the documentation in the wiki needs to be updated once this landed
in production.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
src/initscripts/system/firewall | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 49c6b7bf9..cc5baa292 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -227,6 +227,10 @@ iptables_init() {
iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
fi

+ # Tor (inbound)
+ iptables -N TOR_INPUT
+ iptables -A INPUT -j TOR_INPUT
+
# Location Block
iptables -N LOCATIONBLOCK
iptables -A INPUT -j LOCATIONBLOCK
@@ -260,9 +264,7 @@ iptables_init() {
iptables -N OVPNINPUT
iptables -A INPUT -j OVPNINPUT

- # Tor (inbound and outbound)
- iptables -N TOR_INPUT
- iptables -A INPUT -j TOR_INPUT
+ # Tor (outbound)
iptables -N TOR_OUTPUT
iptables -A OUTPUT -j TOR_OUTPUT

--
2.26.2