* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 247e97800d294acac4c22376951ca6acaf81f5fa
@ 2022-03-23 16:07 Peter Müller
0 siblings, 0 replies; only message in thread
From: Peter Müller @ 2022-03-23 16:07 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 2924 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 247e97800d294acac4c22376951ca6acaf81f5fa (commit)
from e68cfdb1404f7e18c4d2f9601734580ee9c9d8a5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 247e97800d294acac4c22376951ca6acaf81f5fa
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Wed Mar 23 11:18:34 2022 +0000
firewall: Fix placement of HOSTILE chains
They were mistakenly placed after the IPS chains in commit
7b529f5417254c68b6bd33732f30578182893d34, but should be placed after the
connection tracking and before the IPS.
Fixes: #12815
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
src/initscripts/system/firewall | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
Difference in files:
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2a70feac2..2597dae10 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -169,6 +169,17 @@ iptables_init() {
iptables -t nat -N CUSTOMPOSTROUTING
iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+ # Chains for networks known as being hostile, posing a technical threat to our users
+ # (i. e. listed at Spamhaus DROP et al.)
+ iptables -N HOSTILE
+ iptables -A INPUT -j HOSTILE
+ iptables -A FORWARD -j HOSTILE
+ iptables -A OUTPUT -j HOSTILE
+
+ iptables -N HOSTILE_DROP
+ iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+ iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
+
# IPS (Guardian) chains
iptables -N GUARDIAN
iptables -A INPUT -j GUARDIAN
@@ -259,17 +270,6 @@ iptables_init() {
iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
fi
- # Chains for networks known as being hostile, posing a technical threat to our users
- # (i. e. listed at Spamhaus DROP et al.)
- iptables -N HOSTILE
- iptables -A INPUT -j HOSTILE
- iptables -A FORWARD -j HOSTILE
- iptables -A OUTPUT -j HOSTILE
-
- iptables -N HOSTILE_DROP
- iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
- iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
-
# Tor (inbound)
iptables -N TOR_INPUT
iptables -A INPUT -j TOR_INPUT
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-03-23 16:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-23 16:07 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 247e97800d294acac4c22376951ca6acaf81f5fa Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox