[git.ipfire.org] IPFire 2.x development tree branch, master, updated. 26926c4d12793331cdf51d54a44ea3dfe4780dbf

[Michael Tremer <git@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2991 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, master has been updated
       via  26926c4d12793331cdf51d54a44ea3dfe4780dbf (commit)
      from  38f5bc99125e41140d893baf327a9ac454ea0fa4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 26926c4d12793331cdf51d54a44ea3dfe4780dbf
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date:   Wed Mar 23 11:18:34 2022 +0000

    firewall: Fix placement of HOSTILE chains
    
    They were mistakenly placed after the IPS chains in commit
    7b529f5417254c68b6bd33732f30578182893d34, but should be placed after the
    connection tracking and before the IPS.
    
    Fixes: #12815
    
    Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
    Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 src/initscripts/system/firewall | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

Difference in files:
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2a70feac2..2597dae10 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -169,6 +169,17 @@ iptables_init() {
 	iptables -t nat -N CUSTOMPOSTROUTING
 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
 
+	# Chains for networks known as being hostile, posing a technical threat to our users
+	# (i. e. listed at Spamhaus DROP et al.)
+	iptables -N HOSTILE
+	iptables -A INPUT -j HOSTILE
+	iptables -A FORWARD -j HOSTILE
+	iptables -A OUTPUT -j HOSTILE
+
+	iptables -N HOSTILE_DROP
+	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
+
 	# IPS (Guardian) chains
 	iptables -N GUARDIAN
 	iptables -A INPUT -j GUARDIAN
@@ -259,17 +270,6 @@ iptables_init() {
 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
 	fi
 
-	# Chains for networks known as being hostile, posing a technical threat to our users
-	# (i. e. listed at Spamhaus DROP et al.)
-	iptables -N HOSTILE
-	iptables -A INPUT -j HOSTILE
-	iptables -A FORWARD -j HOSTILE
-	iptables -A OUTPUT -j HOSTILE
-
-	iptables -N HOSTILE_DROP
-	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
-	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
-
 	# Tor (inbound)
 	iptables -N TOR_INPUT
 	iptables -A INPUT -j TOR_INPUT


hooks/post-receive
--
IPFire 2.x development tree