[git.ipfire.org] IPFire 2.x development tree branch, master, updated. 26926c4d12793331cdf51d54a44ea3dfe4780dbf - IPFire-SCM

23 Mar 2022

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
       via  26926c4d12793331cdf51d54a44ea3dfe4780dbf (commit)
      from  38f5bc99125e41140d893baf327a9ac454ea0fa4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 26926c4d12793331cdf51d54a44ea3dfe4780dbf
Author: Peter Müller peter.mueller@ipfire.org
Date:   Wed Mar 23 11:18:34 2022 +0000
firewall: Fix placement of HOSTILE chains
They were mistakenly placed after the IPS chains in commit
    7b529f5417254c68b6bd33732f30578182893d34, but should be placed after the
    connection tracking and before the IPS.
Fixes: #12815
Signed-off-by: Peter Müller peter.mueller@ipfire.org
    Reviewed-by: Michael Tremer michael.tremer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes:
 src/initscripts/system/firewall | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)
Difference in files:

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2a70feac2..2597dae10 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -169,6 +169,17 @@ iptables_init() {
    iptables -t nat -N CUSTOMPOSTROUTING
    iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+	# Chains for networks known as being hostile, posing a technical threat to our users
+	# (i. e. listed at Spamhaus DROP et al.)
+	iptables -N HOSTILE
+	iptables -A INPUT -j HOSTILE
+	iptables -A FORWARD -j HOSTILE
+	iptables -A OUTPUT -j HOSTILE
+
+	iptables -N HOSTILE_DROP
+	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
+
    # IPS (Guardian) chains
    iptables -N GUARDIAN
    iptables -A INPUT -j GUARDIAN
@@ -259,17 +270,6 @@ iptables_init() {
    	iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
    fi
-	# Chains for networks known as being hostile, posing a technical threat to our users
-	# (i. e. listed at Spamhaus DROP et al.)
-	iptables -N HOSTILE
-	iptables -A INPUT -j HOSTILE
-	iptables -A FORWARD -j HOSTILE
-	iptables -A OUTPUT -j HOSTILE
-
-	iptables -N HOSTILE_DROP
-	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
-	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
-
    # Tor (inbound)
    iptables -N TOR_INPUT
    iptables -A INPUT -j TOR_INPUT
hooks/post-receive
--
IPFire 2.x development tree

    