From patchwork Wed Apr 6 19:12:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 5454 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KYZ0V143mz3x1b for ; Wed, 6 Apr 2022 19:12:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KYZ0R3Dlyz2cK; Wed, 6 Apr 2022 19:12:55 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KYZ0R2FBMz2yw8; Wed, 6 Apr 2022 19:12:55 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KYZ0P65tYz2xKQ for ; Wed, 6 Apr 2022 19:12:53 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KYZ0P01mwzdN; Wed, 6 Apr 2022 19:12:52 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1649272373; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=C0711cqn8FYv5zxkMSEL4JaGVgMmJOtpJHb3ISbFuqk=; b=GCa4BqAQCDOech5w3Djtx2AEPL+TJclbKtl9T3DY5CjDXU49gCeK5WgQ8Nisvt2VC71KQv tUmbCjUuwvBsfFAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1649272373; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=C0711cqn8FYv5zxkMSEL4JaGVgMmJOtpJHb3ISbFuqk=; b=BK8A5Xat78D55WAYEE60jodc8V9Jr49OlnAXj5Ob4s3j5NOptOM7OL/e5Gd/EMwluvCjnO A79JLnqWlnSzeWGP0gK7s/lrrMTixrtu7udj0yCcvawK/Kee8yeud5zXbuNrtrYf916QBG 8fMJ2fIVZIN7zh+8RUkEIabABLCFb5NW3A+GaDzAuIvlPm2cBvxtzmRAF+b60Zy58MTlqE MHLhmU3iw+ccbp0uMAOTqcdYh4JmIHFm8oQBxWgsZWZIjrMzZb8xeGxJtX6QIAlNL76ppi y73shM5BOckoLsuPsNWJbzOJAgv3w8EjCJx+jnHIMBb3DDpbQswXeV8AIegmCg== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 1/3] ids-functions.pl: Generate ipset based whitelist. Date: Wed, 6 Apr 2022 21:12:43 +0200 Message-Id: <20220406191245.4218-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Stefan Schantl --- config/cfgroot/ids-functions.pl | 68 ++++++++++++++++----------------- 1 file changed, 33 insertions(+), 35 deletions(-) diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 94dccc8ae..d8ce5d0a0 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -90,7 +90,7 @@ our $sid_msg_file = "$rulespath/sid-msg.map"; our $local_rules_file = "$rulespath/local.rules"; # File which contains the rules to whitelist addresses on suricata. -our $whitelist_file = "$rulespath/whitelist.rules"; +our $whitelist_file = "$settingsdir/whitelist.conf"; # File which contains a list of all supported ruleset sources. # (Sourcefire, Emergingthreads, etc..) @@ -125,7 +125,7 @@ my @cron_intervals = ('off', 'daily', 'weekly' ); my @http_ports = ('80', '81'); # Array which contains a list of rulefiles which always will be included if they exist. -my @static_included_rulefiles = ('local.rules', 'whitelist.rules'); +my @static_included_rulefiles = ('local.rules'); # Array which contains a list of allways enabled application layer protocols. my @static_enabled_app_layer_protos = ('app-layer', 'decoder', 'files', 'stream'); @@ -1199,9 +1199,6 @@ sub _cleanup_rulesdir() { # We only want files. next unless (-f "$rulespath/$file"); - # Skip rules file for whitelisted hosts. - next if ("$rulespath/$file" eq $whitelist_file); - # Skip rules file with local rules. next if ("$rulespath/$file" eq $local_rules_file); @@ -1707,46 +1704,47 @@ sub get_suricata_enabled_app_layer_protos() { # sub generate_ignore_file() { my %ignored = (); + my @ignored_addresses = (); - # SID range 1000000-1999999 Reserved for Local Use - # Put your custom rules in this range to avoid conflicts - my $sid = 1500000; + # Name of the ipset. + my $list = "IPSWHITELIST"; # Read-in ignoredfile. &General::readhasharray($IDS::ignored_file, \%ignored); - # Open ignorefile for writing. - open(FILE, ">$IDS::whitelist_file") or die "Could not write to $IDS::whitelist_file. $!\n"; + # Loop through the entire hash and add the enabled addresses to + # the array of ignored addresses.. + while ( (my $key) = each %ignored) { + my $address = $ignored{$key}[0]; + my $remark = $ignored{$key}[1]; + my $status = $ignored{$key}[2]; + + # Check if the status of the entry is "enabled". + if ($status eq "enabled") { + # Check if the address/network is valid. + if ((&General::validip($address)) || (&General::validipandmask($address))) { + # Add the address to the array of ignored addresses. + push(@ignored_addresses, $address); + } + } + } - # Config file header. - print FILE "# Autogenerated file.\n"; - print FILE "# All user modifications will be overwritten.\n\n"; + # Open the the whitelist file for writing. + open(FILE, ">", "$whitelist_file") or die "Could not write to $whitelist_file. $!\n"; - # Add all user defined addresses to the whitelist. - # - # Check if the hash contains any elements. - if (keys (%ignored)) { - # Loop through the entire hash and write the host/network - # and remark to the ignore file. - while ( (my $key) = each %ignored) { - my $address = $ignored{$key}[0]; - my $remark = $ignored{$key}[1]; - my $status = $ignored{$key}[2]; - - # Check if the status of the entry is "enabled". - if ($status eq "enabled") { - # Check if the address/network is valid. - if ((&General::validip($address)) || (&General::validipandmask($address))) { - # Write rule line to the file to pass any traffic from this IP - print FILE "pass ip $address any -> any any (msg:\"pass all traffic from/to $address\"\; bypass; sid:$sid\;)\n"; - - # Increment sid. - $sid++; - } - } + # Check if the array of ignored addresses contains any elements. + if(@ignored_addresses) { + # Write file header. + print FILE "create $list hash:net family inet -exist\n"; + print FILE "flush $list\n"; + + # Loop through the array of ignored addresses. + foreach my $address (@ignored_addresses) { + print FILE "add $list $address\n"; } } + # Close filehandle. close(FILE); } From patchwork Wed Apr 6 19:12:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 5455 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KYZ0W1wZ1z3x1x for ; Wed, 6 Apr 2022 19:12:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KYZ0S0W57z4S6; Wed, 6 Apr 2022 19:12:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KYZ0R2vr2z3019; Wed, 6 Apr 2022 19:12:55 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KYZ0Q0L1Cz2yCy for ; Wed, 6 Apr 2022 19:12:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KYZ0P4nwxz1xJ; Wed, 6 Apr 2022 19:12:53 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1649272373; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0OJBUgbbSPbRFJo4dJt6Ei9q4D/ywJA13tHibAgI0qs=; b=ftN85Rn8xRmC7SLbNa1PiJMSom1kp5TIAQDAUTm3qp+s1V/wOqB+f/3G7Ggfx0/5QxXY9M 0Py7RpK0ccdk1dAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1649272373; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0OJBUgbbSPbRFJo4dJt6Ei9q4D/ywJA13tHibAgI0qs=; b=lrVKtP47K7lt2P1NqrNinQ1ySYa6SM/DXbTKhqpG5YCjkUBYhVdbxi8fraDip8zkTKtp7e KODSJ5WXmFYjO9e//Xh2WIIv6xe345zujTXIjkQTHZU1qDRI1PD5yFV02OcewUnH9u/vef XysSeMc4FiBSvrJadUbtZ2cnyQft6uYBHaJGYfSc0OpSyrN6l6W/SOQVGj8pDRAmNwn+gf rbRJdjP+pXQ0y8F3exD8m+hZgoyumm9nZ31ltO0bJpNqiZCjjKMZDIHBT5edzES7VSMzgB FL4lu6otXDu/ppOyeCB40ot94cZ42vI7GExMHHoVRkUCK8vAz2V0T1oDg1fmuA== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 2/3] suricata: Handle ipset based whitelist in initscript. Date: Wed, 6 Apr 2022 21:12:44 +0200 Message-Id: <20220406191245.4218-2-stefan.schantl@ipfire.org> In-Reply-To: <20220406191245.4218-1-stefan.schantl@ipfire.org> References: <20220406191245.4218-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Stefan Schantl --- src/initscripts/system/suricata | 42 +++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 938ea66de..5ede405ce 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -44,6 +44,15 @@ enabled_ips_zones=() # PID file of suricata. PID_FILE="/var/run/suricata.pid" +# File which contains the ipset of whitelisted hosts. +WHITELIST_FILE="/var/ipfire/suricata/whitelist.conf" + +# Name of the ipset set +IPSET_SET="IPSWHITELIST" + +IPS_BYPASS_MARK="0x40000000" +IPS_BYPASS_MASK="0x40000000" + # Function to get the amount of CPU cores of the system. function get_cpu_count { CPUCOUNT=0 @@ -135,16 +144,44 @@ function generate_fw_rules { # Flush the firewall chains. flush_fw_chain + if [ -s "$WHITELIST_FILE" ]; then + # Load the whitelist file. + ipset restore -f "$WHITELIST_FILE" + fi + # Check if the array of enabled_ips_zones contains any elements. if [[ ${enabled_ips_zones[@]} ]]; then # Loop through the array and create firewall rules. for enabled_ips_zone in "${enabled_ips_zones[@]}"; do + # Check if the whitelist file is not empty. + if [ -s "$WHITELIST_FILE" ]; then + # Create rules to handle whitelisted hosts. + iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m set --match-set $IPSET_SET src -j CONNMARK --set-xmark $IPS_BYPASS_MARK/$IPS_BYPASS_MASK + iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m set --match-set $IPSET_SET dst -j CONNMARK --set-xmark $IPS_BYPASS_MARK/$IPS_BYPASS_MASK + iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m connmark --mark $IPS_BYPASS_MARK/$IPS_BYPASS_MASK -j RETURN + + iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m set --match-set $IPSET_SET src -j CONNMARK --set-xmark $IPS_BYPASS_MARK/$IPS_BYPASS_MASK + iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m set --match-set $IPSET_SET src -j CONNMARK --set-xmark $IPS_BYPASS_MARK/$IPS_BYPASS_MASK + iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m connmark --mark $IPS_BYPASS_MARK/$IPS_BYPASS_MASK -j RETURN + fi + # Create rules queue input and output related traffic and pass it to the IPS. iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS # Create rules which are required to handle forwarded traffic. for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + # Check if the whetelist file is not empty. + if [ -s "$WHITELIST_FILE" ]; then + # Create rules to handle whitelisted hosts. + iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" \ + -m set --match-set $IPSET_SET src -j CONNMARK --set-xmark $IPS_BYPASS_MARK/$IPS_BYPASS_MASK + iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" \ + -m set --match-set $IPSET_SET dst -j CONNMARK --set-xmark $IPS_BYPASS_MARK/$IPS_BYPASS_MASK + iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" \ + -m connmark --mark $IPS_BYPASS_MARK/$IPS_BYPASS_MASK + fi + iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS done done @@ -188,6 +225,11 @@ case "$1" in # Flush firewall chain. flush_fw_chain + # Unload the ipset set. + if [ -s "$WHITELIST_FILE" ]; then + ipset destroy $IPSET_SET 2>/dev/null + fi + # Sometimes suricata not correct shutdown. So killall. killall -KILL /usr/bin/suricata 2>/dev/null From patchwork Wed Apr 6 19:12:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 5456 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KYZ0W6qHpz3x1b for ; Wed, 6 Apr 2022 19:12:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KYZ0T3rYVz4Vp; Wed, 6 Apr 2022 19:12:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KYZ0T3lbyz2xKQ; Wed, 6 Apr 2022 19:12:57 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KYZ0Q3FBvz2xKQ for ; Wed, 6 Apr 2022 19:12:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KYZ0Q0RHSz2cK; Wed, 6 Apr 2022 19:12:54 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1649272374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=A1D9K0F81ZM/HNMVFAyCtTCB+z+o49XL1LrubQSXbnk=; b=PIWDvRCRFzI+brMVBY7mqOXAbKy6bz6WVvmjDtlsc+Gau4kFjctgw3T4XZ3z86JG4HBfW2 S6wsWctqb99SujDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1649272374; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=A1D9K0F81ZM/HNMVFAyCtTCB+z+o49XL1LrubQSXbnk=; b=NwTjL+eTeV1mwaZbIhlBs1N+e6ZDebx13n2IK+ChMxhQxSfFIlfxfSSbe2cR9tw8OP55At ht2AF/pWaJeaQLeEkvWQNhfp7XmkNLmGWZyVZYnWvhK9/GE2H5uC1D/wrrY+tN3yp1yAdi fYnWpchwwE+4SgBeS2MF7J+bfgHnXbDw3hSqudHNDxCBHHbH1fYG5NsHhU1T5lQ2eO8t3Q yw/OLJFIyT0iKYnaxrxnBemfJcnftTPNQIE1RtZoHgma83uzdO6a4bRPHZttVwVmdlJ9fc keAO+9lsW9+IyuN4wRfVZFmby8JbuLTiYySRXIa8JJ9hQW+wOO4WNrEwW6dbkw== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 3/3] rules.pl: Prevent from cleanup the IPSWHITELIST set. Date: Wed, 6 Apr 2022 21:12:45 +0200 Message-Id: <20220406191245.4218-3-stefan.schantl@ipfire.org> In-Reply-To: <20220406191245.4218-1-stefan.schantl@ipfire.org> References: <20220406191245.4218-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Init the IPSWHITELIST set as loaded to prevent from destroying during cleanup. Signed-off-by: Stefan Schantl --- config/firewall/rules.pl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 19dc7a6d1..0591a47be 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -73,7 +73,10 @@ my %confignatfw=(); my %locationsettings = ( "LOCATIONBLOCK_ENABLED" => "off" ); -my %ipset_loaded_sets = (); +my %ipset_loaded_sets = ( + "IPSWHITELIST" => "1", +); + my @ipset_used_sets = (); my $configfwdfw = "${General::swroot}/firewall/config";