From patchwork Sun Jan 21 11:45:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7472 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4THs4d1KTnz3wmD for ; Sun, 21 Jan 2024 11:46:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4THs4Z03cWzkc; Sun, 21 Jan 2024 11:46:05 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4THs4Y3xW3z307G; Sun, 21 Jan 2024 11:46:05 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4THs4V6hYnz300V for ; Sun, 21 Jan 2024 11:46:02 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4THs4V3cwgzkc; Sun, 21 Jan 2024 11:46:02 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1705837562; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=X/Nxfyal9sOBnJGpuBapT7S03z+RN4QKVYtpd9YyKhQ=; b=7D4+1B0nkjuKH17MUr81pfsAUH77aFX0ZZdGP4T/Sp+6HlVntw1C35ojmJOPk2dSA/JQv5 JXoZYe4L7aFeGsBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1705837562; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=X/Nxfyal9sOBnJGpuBapT7S03z+RN4QKVYtpd9YyKhQ=; b=V7CcaAsF39oUQ4BHkdSWdgBnTyvlxtrh8KPtYCDix/ji06OdMNIMaROUSRZGAVCqnW+sRV 61rHTWwp7xS8TZJ/dpxVCjdI6+Y5s5FCiLvvAx9miHNDjp4E3SkVI3lxssEic6/QxZW1Y+ KahSSrzvAc6DcCh5WaB57Yx0TXJTp6Kbc6Zz0vZBSDxoFeYUGEmX7yl4yq1Tx7aoSQi+qW lmyRG9EQruezc8Nl75U0ShFfslQuhSA94wIAiamqXqoYFlKgQKbRKF0Yjm4PiZpWDgbwJ2 3oDFbaXTXOooin/NgvyldWuriNOiMg/I+LydCvgy9P6GA8zDesn7qYB8CFGSMA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH v3 2/7] rules.pl: Fixes bug12981 - Add in and out specific actions for drop hostile Date: Sun, 21 Jan 2024 12:45:48 +0100 Message-ID: <20240121114553.5182-2-adolf.belka@ipfire.org> In-Reply-To: <20240121114553.5182-1-adolf.belka@ipfire.org> References: <20240121114553.5182-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: T3FXVOYUCPHFLGR76L5LPY3FEWJ65U4V X-Message-ID-Hash: T3FXVOYUCPHFLGR76L5LPY3FEWJ65U4V X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each independently. Fixes: bug12981 Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Acked-by: Bernhard Bitsch --- config/firewall/rules.pl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 7edb910e2..a47c260a1 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -726,8 +726,8 @@ sub drop_hostile_networks () { &ipset_restore($HOSTILE_CCODE); # Check traffic in incoming/outgoing direction and drop if it matches - run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP"); - run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP"); + run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP_IN"); + run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP_OUT"); } sub ipblocklist () {