Message ID | c2562a9e-0b55-67f8-b48f-62df97fa7196@ipfire.org |
---|---|
State | Accepted |
Commit | 97154d057bdbc7fa34309e9a5ad389775eff210d |
Headers | show |
Series | firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection | expand |
Hello, I told you that you will need to export the lists before you can load them, but that seems to have been incorrect. Whenever we download the database, we extract everything: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-location-database;h=06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=HEAD So this should always work. -Michael > On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote: > > Similar to the Location block, this chain logs and drops all traffic > from and to networks known to pose technical threats to IPFire users. > > Doing so in a dedicated chain makes sense for transparency reasons, as > we won't interfer with other firewall rules or the Location block, so it > is always clear why a packet from or to such a network has been dropped. > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > src/initscripts/system/firewall | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > index 9e62c0245..ebc8168ae 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -139,6 +139,20 @@ iptables_init() { > iptables -t nat -N CUSTOMPOSTROUTING > iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING > > + # Log and drop any traffic from and to networks known as being hostile, posing > + # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) > + if [ "$DROPHOSTILE" == "on" ]; then > + iptables -N DROP_HOSTILE > + iptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " > + > + iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE > + iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE > + iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE > + iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE > + > + iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE" > + fi > + > # P2PBLOCK > iptables -N P2PBLOCK > iptables -A INPUT -j P2PBLOCK > -- > 2.26.2
Hello Michael, thanks for your reply. This is good to know as I was surprised to see this working on my testing machine without any further exports/converting/${whatever} of the location database. :-) Thanks, and best regards, Peter Müller > Hello, > > I told you that you will need to export the lists before you can load them, but that seems to have been incorrect. > > Whenever we download the database, we extract everything: > > https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-location-database;h=06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=HEAD > > So this should always work. > > -Michael > >> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Similar to the Location block, this chain logs and drops all traffic >> from and to networks known to pose technical threats to IPFire users. >> >> Doing so in a dedicated chain makes sense for transparency reasons, as >> we won't interfer with other firewall rules or the Location block, so it >> is always clear why a packet from or to such a network has been dropped. >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> src/initscripts/system/firewall | 14 ++++++++++++++ >> 1 file changed, 14 insertions(+) >> >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >> index 9e62c0245..ebc8168ae 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -139,6 +139,20 @@ iptables_init() { >> iptables -t nat -N CUSTOMPOSTROUTING >> iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING >> >> + # Log and drop any traffic from and to networks known as being hostile, posing >> + # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) >> + if [ "$DROPHOSTILE" == "on" ]; then >> + iptables -N DROP_HOSTILE >> + iptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " >> + >> + iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE >> + iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE >> + iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE >> + iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE >> + >> + iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE" >> + fi >> + >> # P2PBLOCK >> iptables -N P2PBLOCK >> iptables -A INPUT -j P2PBLOCK >> -- >> 2.26.2 >
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 9e62c0245..ebc8168ae 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -139,6 +139,20 @@ iptables_init() { iptables -t nat -N CUSTOMPOSTROUTING iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING + # Log and drop any traffic from and to networks known as being hostile, posing + # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) + if [ "$DROPHOSTILE" == "on" ]; then + iptables -N DROP_HOSTILE + iptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + + iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE + iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + + iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE" + fi + # P2PBLOCK iptables -N P2PBLOCK iptables -A INPUT -j P2PBLOCK
Similar to the Location block, this chain logs and drops all traffic from and to networks known to pose technical threats to IPFire users. Doing so in a dedicated chain makes sense for transparency reasons, as we won't interfer with other firewall rules or the Location block, so it is always clear why a packet from or to such a network has been dropped. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> --- src/initscripts/system/firewall | 14 ++++++++++++++ 1 file changed, 14 insertions(+)