firewall: Fix placement of HOSTILE chains
Commit Message
They were mistakenly placed after the IPS chains in commit
7b529f5417254c68b6bd33732f30578182893d34, but should be placed after the
connection tracking and before the IPS.
Fixes: #12815
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
src/initscripts/system/firewall | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
Comments
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
> On 23 Mar 2022, at 11:18, Peter Müller <peter.mueller@ipfire.org> wrote:
>
> They were mistakenly placed after the IPS chains in commit
> 7b529f5417254c68b6bd33732f30578182893d34, but should be placed after the
> connection tracking and before the IPS.
>
> Fixes: #12815
>
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> src/initscripts/system/firewall | 22 +++++++++++-----------
> 1 file changed, 11 insertions(+), 11 deletions(-)
>
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 2a70feac2..2597dae10 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -169,6 +169,17 @@ iptables_init() {
> iptables -t nat -N CUSTOMPOSTROUTING
> iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
>
> + # Chains for networks known as being hostile, posing a technical threat to our users
> + # (i. e. listed at Spamhaus DROP et al.)
> + iptables -N HOSTILE
> + iptables -A INPUT -j HOSTILE
> + iptables -A FORWARD -j HOSTILE
> + iptables -A OUTPUT -j HOSTILE
> +
> + iptables -N HOSTILE_DROP
> + iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
> + iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
> +
> # IPS (Guardian) chains
> iptables -N GUARDIAN
> iptables -A INPUT -j GUARDIAN
> @@ -259,17 +270,6 @@ iptables_init() {
> iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
> fi
>
> - # Chains for networks known as being hostile, posing a technical threat to our users
> - # (i. e. listed at Spamhaus DROP et al.)
> - iptables -N HOSTILE
> - iptables -A INPUT -j HOSTILE
> - iptables -A FORWARD -j HOSTILE
> - iptables -A OUTPUT -j HOSTILE
> -
> - iptables -N HOSTILE_DROP
> - iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
> - iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
> -
> # Tor (inbound)
> iptables -N TOR_INPUT
> iptables -A INPUT -j TOR_INPUT
> --
> 2.34.1
@@ -169,6 +169,17 @@ iptables_init() {
iptables -t nat -N CUSTOMPOSTROUTING
iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+ # Chains for networks known as being hostile, posing a technical threat to our users
+ # (i. e. listed at Spamhaus DROP et al.)
+ iptables -N HOSTILE
+ iptables -A INPUT -j HOSTILE
+ iptables -A FORWARD -j HOSTILE
+ iptables -A OUTPUT -j HOSTILE
+
+ iptables -N HOSTILE_DROP
+ iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+ iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
+
# IPS (Guardian) chains
iptables -N GUARDIAN
iptables -A INPUT -j GUARDIAN
@@ -259,17 +270,6 @@ iptables_init() {
iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
fi
- # Chains for networks known as being hostile, posing a technical threat to our users
- # (i. e. listed at Spamhaus DROP et al.)
- iptables -N HOSTILE
- iptables -A INPUT -j HOSTILE
- iptables -A FORWARD -j HOSTILE
- iptables -A OUTPUT -j HOSTILE
-
- iptables -N HOSTILE_DROP
- iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
- iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
-
# Tor (inbound)
iptables -N TOR_INPUT
iptables -A INPUT -j TOR_INPUT