[v3,2/7] rules.pl: Fixes bug12981 - Add in and out specific actions for drop hostile
Commit Message
- This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and
HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each
independently.
Fixes: bug12981
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/firewall/rules.pl | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Comments
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Acked-by: Bernhard Bitsch <bbitsch@ipfire.org>
Am 21.01.2024 um 12:45 schrieb Adolf Belka:
> - This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and
> HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each
> independently.
>
> Fixes: bug12981
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> config/firewall/rules.pl | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 7edb910e2..a47c260a1 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -2,7 +2,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
> +# Copyright (C) 2007-2024 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -726,8 +726,8 @@ sub drop_hostile_networks () {
> &ipset_restore($HOSTILE_CCODE);
>
> # Check traffic in incoming/outgoing direction and drop if it matches
> - run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP");
> - run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP");
> + run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP_IN");
> + run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP_OUT");
> }
>
> sub ipblocklist () {
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2024 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -726,8 +726,8 @@ sub drop_hostile_networks () {
&ipset_restore($HOSTILE_CCODE);
# Check traffic in incoming/outgoing direction and drop if it matches
- run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP");
- run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP");
+ run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP_IN");
+ run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP_OUT");
}
sub ipblocklist () {