[git.ipfire.org] IPFire 2.x development tree branch, master, updated. 12cd38896795836c3f4e2c8a661b2c36d444d89a

[Michael Tremer <git@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3878 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, master has been updated
       via  12cd38896795836c3f4e2c8a661b2c36d444d89a (commit)
      from  fe6b15f843cfbfe7ba84faa35c87fce2c2470235 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 12cd38896795836c3f4e2c8a661b2c36d444d89a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Fri Mar 11 14:43:11 2022 +0000

    firewall: Make blocking all traffic impossible on HOSTILE
    
    The current setup can fail and block all traffic on RED if the RETURN
    rules could not be created.
    
    This can happen when the kernel fails to load the ipset module, as it is
    the case after upgrading to a new kernel. Restarting the firewall will
    cause that the system is being cut off the internet.
    
    This design now changes that if those rules cannot be created, the
    DROP_HOSTILE feature is just inactive, but it would not disrupt any
    traffic.
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Signed-off-by: Daniel Weismüller <daniel.weismueller(a)ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/firewall/rules.pl        | 12 +++---------
 src/initscripts/system/firewall | 11 +++++++----
 2 files changed, 10 insertions(+), 13 deletions(-)

Difference in files:
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 57f4809b4..d71304986 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -701,15 +701,9 @@ sub drop_hostile_networks () {
 	# Call function to load the network list of hostile networks.
 	&ipset_restore($HOSTILE_CCODE);
 
-	# Setup rules to pass traffic which does not belong to a hostile network.
-	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set ! --match-set $HOSTILE_CCODE src -j RETURN");
-	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set ! --match-set $HOSTILE_CCODE dst -j RETURN");
-
-	# Setup logging.
-	run("$IPTABLES -A HOSTILE -m limit --limit 10/second -j LOG  --log-prefix \"DROP_HOSTILE \"");
-
-	# Drop traffic from/to hostile network.
-        run("$IPTABLES -A HOSTILE -j DROP -m comment --comment \"DROP_HOSTILE\"");
+	# Check traffic in incoming/outgoing direction and drop if it matches
+	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP");
+	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP");
 }
 
 sub get_protocols {
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2c4d3163b..2a70feac2 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -262,10 +262,13 @@ iptables_init() {
 	# Chains for networks known as being hostile, posing a technical threat to our users
 	# (i. e. listed at Spamhaus DROP et al.)
 	iptables -N HOSTILE
-	iptables -A INPUT -i $IFACE -j HOSTILE
-	iptables -A FORWARD -i $IFACE -j HOSTILE
-	iptables -A FORWARD -o $IFACE -j HOSTILE
-	iptables -A OUTPUT -o $IFACE -j HOSTILE
+	iptables -A INPUT -j HOSTILE
+	iptables -A FORWARD -j HOSTILE
+	iptables -A OUTPUT -j HOSTILE
+
+	iptables -N HOSTILE_DROP
+	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
 
 	# Tor (inbound)
 	iptables -N TOR_INPUT


hooks/post-receive
--
IPFire 2.x development tree