* [git.ipfire.org] IPFire 2.x development tree branch, master, updated. c69c820025c21713cdb77eae3dd4fa61ca71b5fb
@ 2020-10-14 10:35 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2020-10-14 10:35 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 2921 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via c69c820025c21713cdb77eae3dd4fa61ca71b5fb (commit)
from 642557e23ba6c1bcab7e654569a35a5f4e6e8acc (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c69c820025c21713cdb77eae3dd4fa61ca71b5fb
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Oct 14 11:32:05 2020 +0100
firewall: Filter only on RED and exclude any private address space
Since libloc is built as a tree we cannot simply exclude any address
space in the middle of it. Therefore we create some firewall rules
which simply avoid checking non-globally routable address space.
Fixes: #12499
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/firewall/rules.pl | 17 +++++++++++++++++
config/rootfiles/core/151/filelists/files | 1 +
2 files changed, 18 insertions(+)
Difference in files:
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index cad53a1d7..c2641a92d 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -48,6 +48,13 @@ my @PROTOCOLS_WITH_PORTS = ("tcp", "udp");
my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT");
+my @PRIVATE_NETWORKS = (
+ "10.0.0.0/8",
+ "172.16.0.0/12",
+ "192.168.0.0/16",
+ "100.64.0.0/10",
+);
+
my %fwdfwsettings=();
my %fwoptions = ();
my %defaultNetworks=();
@@ -621,6 +628,16 @@ sub locationblock {
return;
}
+ # Only check the RED interface
+ if ($defaultNetworks{'RED_DEV'} ne "") {
+ run("$IPTABLES -A LOCATIONBLOCK ! -i $defaultNetworks{'RED_DEV'} -j RETURN");
+ }
+
+ # Do not check any private address space
+ foreach my $network (@PRIVATE_NETWORKS) {
+ run("$IPTABLES -A LOCATIONBLOCK -s $network -j RETURN");
+ }
+
# Loop through all supported locations and
# create iptables rules, if blocking for this country
# is enabled.
diff --git a/config/rootfiles/core/151/filelists/files b/config/rootfiles/core/151/filelists/files
index 8223d97de..9910e1bf9 100644
--- a/config/rootfiles/core/151/filelists/files
+++ b/config/rootfiles/core/151/filelists/files
@@ -10,6 +10,7 @@ srv/web/ipfire/cgi-bin/ipinfo.cgi
srv/web/ipfire/cgi-bin/pakfire.cgi
srv/web/ipfire/cgi-bin/vpnmain.cgi
usr/bin/probenic.sh
+usr/lib/firewall/rules.pl
usr/local/bin/ipsecctrl
var/ipfire/general-functions.pl
var/ipfire/langs
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-10-14 10:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-14 10:35 [git.ipfire.org] IPFire 2.x development tree branch, master, updated. c69c820025c21713cdb77eae3dd4fa61ca71b5fb Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox