[git.ipfire.org] IPFire 2.x development tree branch, master, updated. c69c820025c21713cdb77eae3dd4fa61ca71b5fb

[Michael Tremer <git@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2921 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, master has been updated
       via  c69c820025c21713cdb77eae3dd4fa61ca71b5fb (commit)
      from  642557e23ba6c1bcab7e654569a35a5f4e6e8acc (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit c69c820025c21713cdb77eae3dd4fa61ca71b5fb
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Wed Oct 14 11:32:05 2020 +0100

    firewall: Filter only on RED and exclude any private address space
    
    Since libloc is built as a tree we cannot simply exclude any address
    space in the middle of it. Therefore we create some firewall rules
    which simply avoid checking non-globally routable address space.
    
    Fixes: #12499
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/firewall/rules.pl                  | 17 +++++++++++++++++
 config/rootfiles/core/151/filelists/files |  1 +
 2 files changed, 18 insertions(+)

Difference in files:
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index cad53a1d7..c2641a92d 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -48,6 +48,13 @@ my @PROTOCOLS_WITH_PORTS = ("tcp", "udp");
 
 my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT");
 
+my @PRIVATE_NETWORKS = (
+	"10.0.0.0/8",
+	"172.16.0.0/12",
+	"192.168.0.0/16",
+	"100.64.0.0/10",
+);
+
 my %fwdfwsettings=();
 my %fwoptions = ();
 my %defaultNetworks=();
@@ -621,6 +628,16 @@ sub locationblock {
 		return;
 	}
 
+	# Only check the RED interface
+	if ($defaultNetworks{'RED_DEV'} ne "") {
+		run("$IPTABLES -A LOCATIONBLOCK ! -i $defaultNetworks{'RED_DEV'} -j RETURN");
+	}
+
+	# Do not check any private address space
+	foreach my $network (@PRIVATE_NETWORKS) {
+		run("$IPTABLES -A LOCATIONBLOCK -s $network -j RETURN");
+	}
+
 	# Loop through all supported locations and
 	# create iptables rules, if blocking for this country
 	# is enabled.
diff --git a/config/rootfiles/core/151/filelists/files b/config/rootfiles/core/151/filelists/files
index 8223d97de..9910e1bf9 100644
--- a/config/rootfiles/core/151/filelists/files
+++ b/config/rootfiles/core/151/filelists/files
@@ -10,6 +10,7 @@ srv/web/ipfire/cgi-bin/ipinfo.cgi
 srv/web/ipfire/cgi-bin/pakfire.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 usr/bin/probenic.sh
+usr/lib/firewall/rules.pl
 usr/local/bin/ipsecctrl
 var/ipfire/general-functions.pl
 var/ipfire/langs


hooks/post-receive
--
IPFire 2.x development tree