From patchwork Sat Nov  4 17:35:00 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 7303
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4SN4Wt3dZwz3wvm
	for <patchwork@web04.haj.ipfire.org>; Sat,  4 Nov 2023 17:35:38 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4SN4Wr2T4szyQ;
	Sat,  4 Nov 2023 17:35:36 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4SN4Wr03dkz33f2;
	Sat,  4 Nov 2023 17:35:36 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4SN4Wn543Pz2xG5
	for <development@lists.ipfire.org>; Sat,  4 Nov 2023 17:35:33 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4SN4Wl1QCDzw9
	for <development@lists.ipfire.org>; Sat,  4 Nov 2023 17:35:30 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1699119332;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=qLLj0j24zbNZQCCmk2XG7zYds6kws7XUEJow+tpP35w=;
	b=rKg5HzA8jEcNmSZpgke7/xFwzKch2nkF67T8E1rIpBPllixjoEtvohQS1OugBEtuHZ+h3Y
	hLyB9LZWCKKgGzDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1699119332;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=qLLj0j24zbNZQCCmk2XG7zYds6kws7XUEJow+tpP35w=;
	b=YtMDkuqR9j8zYgFXNg/rb85sJgYvNaCT1Xr/X4pSImnYRrnjO2RBNQ0DD9gW7lqv3QgiaS
	bU8nhVx8P1GCCWXPp1eC2fTvzAaNTW9ZmIfkZPMfqfWRy116qGInyYP37Q9c4uJTIbTsjh
	EjpuhwTRtaGU5oeW59x6S/KLHD8WUHXSvZQ46U++O5z1UlEkHEL5XVCkriY4nVI8mWhaNu
	nz2tlQKiIink1r0O3B1UcHTS/HdSegxhOTOgZjn25BAyAUPNIbahdQ1LRt8LtgiW927LH9
	RcaZCpx2qw7v4UnVYib7W6znSZZf7mQHiGYWfOfYstZSXI3JpPiDNNYIFh6YXw==
Message-ID: <f61bc590-4964-48b2-b48e-d7243b78a369@ipfire.org>
Date: Sat, 4 Nov 2023 17:35:00 +0000
MIME-Version: 1.0
To: "IPFire: Development" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH] firewall: Reject outgoing TCP connections to port 25 by
 default
Message-ID-Hash: LWMLRQ4PMHS77WTIV6T66KWHZTGZ6KK4
X-Message-ID-Hash: LWMLRQ4PMHS77WTIV6T66KWHZTGZ6KK4
X-MailFrom: peter.mueller@ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/mailman3/hyperkitty/list/development@lists.ipfire.org/message/LWMLRQ4PMHS77WTIV6T66KWHZTGZ6KK4/>
List-Archive: 
 <https://lists.ipfire.org/mailman3/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

This will affect new IPFire installations only, implementing a
long-standing BCP for preemptively combating botnet spam. Reject is
chosen over drop to reduce the likelihood for confusion during network
troubleshooting.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/firewall/config | 1 +
 lfs/configroot         | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 config/firewall/config

diff --git a/config/firewall/config b/config/firewall/config
new file mode 100644
index 000000000..c871576f2
--- /dev/null
+++ b/config/firewall/config
@@ -0,0 +1 @@
+1,REJECT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,RED,,TCP,,,ON,,,cust_srv,SMTP,Block port 25 (TCP) for outgoing connections to the internet,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second
diff --git a/lfs/configroot b/lfs/configroot
index 2c09ae4a8..66efe04b5 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2023  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -64,7 +64,7 @@ $(TARGET) :
 	for i in auth/users backup/include.user backup/exclude.user \
 	    captive/settings captive/agb.txt captive/clients captive/voucher_out certs/index.txt certs/index.txt.attr ddns/config ddns/settings ddns/ipcache dhcp/settings \
 	    dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dns/servers dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
-	    ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/locationblock firewall/input firewall/outgoing \
+	    ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/locationblock firewall/input firewall/outgoing \
 	    fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsettings ipblocklist/modified \
 	    ipblocklist/settings mac/settings main/hosts main/routing main/security main/settings optionsfw/settings \
 	    ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
@@ -102,6 +102,7 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/cfgroot/logging-settings		$(CONFIG_ROOT)/logging/settings
 	cp $(DIR_SRC)/config/cfgroot/ethernet-vlans		$(CONFIG_ROOT)/ethernet/vlans
 	cp $(DIR_SRC)/langs/list				$(CONFIG_ROOT)/langs/
+	cp $(DIR_SRC)/config/firewall/config			$(CONFIG_ROOT)/firewall/config
 	cp $(DIR_SRC)/config/firewall/convert-xtaccess		/usr/sbin/convert-xtaccess
 	cp $(DIR_SRC)/config/firewall/convert-outgoingfw	/usr/sbin/convert-outgoingfw
 	cp $(DIR_SRC)/config/firewall/convert-dmz		/usr/sbin/convert-dmz