This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via c69c820025c21713cdb77eae3dd4fa61ca71b5fb (commit) from 642557e23ba6c1bcab7e654569a35a5f4e6e8acc (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit c69c820025c21713cdb77eae3dd4fa61ca71b5fb Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Oct 14 11:32:05 2020 +0100
firewall: Filter only on RED and exclude any private address space
Since libloc is built as a tree we cannot simply exclude any address space in the middle of it. Therefore we create some firewall rules which simply avoid checking non-globally routable address space.
Fixes: #12499 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/firewall/rules.pl | 17 +++++++++++++++++ config/rootfiles/core/151/filelists/files | 1 + 2 files changed, 18 insertions(+)
Difference in files: diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index cad53a1d7..c2641a92d 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -48,6 +48,13 @@ my @PROTOCOLS_WITH_PORTS = ("tcp", "udp");
my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT");
+my @PRIVATE_NETWORKS = ( + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16", + "100.64.0.0/10", +); + my %fwdfwsettings=(); my %fwoptions = (); my %defaultNetworks=(); @@ -621,6 +628,16 @@ sub locationblock { return; }
+ # Only check the RED interface + if ($defaultNetworks{'RED_DEV'} ne "") { + run("$IPTABLES -A LOCATIONBLOCK ! -i $defaultNetworks{'RED_DEV'} -j RETURN"); + } + + # Do not check any private address space + foreach my $network (@PRIVATE_NETWORKS) { + run("$IPTABLES -A LOCATIONBLOCK -s $network -j RETURN"); + } + # Loop through all supported locations and # create iptables rules, if blocking for this country # is enabled. diff --git a/config/rootfiles/core/151/filelists/files b/config/rootfiles/core/151/filelists/files index 8223d97de..9910e1bf9 100644 --- a/config/rootfiles/core/151/filelists/files +++ b/config/rootfiles/core/151/filelists/files @@ -10,6 +10,7 @@ srv/web/ipfire/cgi-bin/ipinfo.cgi srv/web/ipfire/cgi-bin/pakfire.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/bin/probenic.sh +usr/lib/firewall/rules.pl usr/local/bin/ipsecctrl var/ipfire/general-functions.pl var/ipfire/langs
hooks/post-receive -- IPFire 2.x development tree