Reviewed-by: Michael Tremer michael.tremer@ipfire.org

On 18 Feb 2022, at 05:03, Stefan Schantl stefan.schantl@ipfire.org wrote:

Otherwise there is no ipset list use-able and the feature will not work.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

src/initscripts/system/firewall | 5 +++++ 1 file changed, 5 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index adb2240bb..2ae6157aa 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -22,6 +22,8 @@ IPS_REPEAT_MASK="0x80000000" IPS_BYPASS_MARK="0x40000000" IPS_BYPASS_MASK="0x40000000"

+IPSET_DB_DIR="/var/lib/location/ipset"

function iptables() { /sbin/iptables --wait "$@" } @@ -146,6 +148,9 @@ iptables_init() { # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) iptables -N HOSTILE if [ "$DROPHOSTILE" == "on" ]; then

• # Call ipset and load the list which contains the hostile networks.
  

• ipset restore < $IPSET_DB_DIR/CC_XD.ipset4
  

• iptables -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " iptables -A INPUT -i $IFACE -m set --match-set CC_XD src -j HOSTILE iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE

-- 2.30.2