diff mbox series

firewall: Make blocking all traffic impossible on HOSTILE

Message ID	20220311144311.2642666-1-michael.tremer@ipfire.org
State	Accepted
Commit	e77d960bacae0685e2c9fd1b93d4524771d53cd5
Headers	From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] firewall: Make blocking all traffic impossible on HOSTILE Date: Fri, 11 Mar 2022 14:43:11 +0000 Message-Id: <20220311144311.2642666-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Cc: Michael Tremer <michael.tremer@ipfire.org> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	firewall: Make blocking all traffic impossible on HOSTILE \| firewall: Make blocking all traffic impossible on HOSTILE

Commit Message

Michael Tremer March 11, 2022, 2:43 p.m. UTC

  The current setup can fail and block all traffic on RED if the RETURN
rules could not be created.

This can happen when the kernel fails to load the ipset module, as it is
the case after upgrading to a new kernel. Restarting the firewall will
cause that the system is being cut off the internet.

This design now changes that if those rules cannot be created, the
DROP_HOSTILE feature is just inactive, but it would not disrupt any
traffic.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
---
 config/firewall/rules.pl        | 12 +++---------
 src/initscripts/system/firewall | 11 +++++++----
 2 files changed, 10 insertions(+), 13 deletions(-)

diff mbox series

Patch

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 57f4809b4..d71304986 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -701,15 +701,9 @@  sub drop_hostile_networks () {
 	# Call function to load the network list of hostile networks.
 	&ipset_restore($HOSTILE_CCODE);
 
-	# Setup rules to pass traffic which does not belong to a hostile network.
-	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set ! --match-set $HOSTILE_CCODE src -j RETURN");
-	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set ! --match-set $HOSTILE_CCODE dst -j RETURN");
-
-	# Setup logging.
-	run("$IPTABLES -A HOSTILE -m limit --limit 10/second -j LOG  --log-prefix \"DROP_HOSTILE \"");
-
-	# Drop traffic from/to hostile network.
-        run("$IPTABLES -A HOSTILE -j DROP -m comment --comment \"DROP_HOSTILE\"");
+	# Check traffic in incoming/outgoing direction and drop if it matches
+	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP");
+	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP");
 }
 
 sub get_protocols {
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2c4d3163b..2a70feac2 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -262,10 +262,13 @@  iptables_init() {
 	# Chains for networks known as being hostile, posing a technical threat to our users
 	# (i. e. listed at Spamhaus DROP et al.)
 	iptables -N HOSTILE
-	iptables -A INPUT -i $IFACE -j HOSTILE
-	iptables -A FORWARD -i $IFACE -j HOSTILE
-	iptables -A FORWARD -o $IFACE -j HOSTILE
-	iptables -A OUTPUT -o $IFACE -j HOSTILE
+	iptables -A INPUT -j HOSTILE
+	iptables -A FORWARD -j HOSTILE
+	iptables -A OUTPUT -j HOSTILE
+
+	iptables -N HOSTILE_DROP
+	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
 
 	# Tor (inbound)
 	iptables -N TOR_INPUT