firewall: Fix placement of HOSTILE chains

They were mistakenly placed after the IPS chains in commit 7b529f5417, but should be placed after the connection tracking and before the IPS. Fixes: #12815 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2022-03-23 11:18:34 +00:00
parent e68cfdb140
commit 247e97800d
1 changed files with 11 additions and 11 deletions
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -169,6 +169,17 @@ iptables_init() {
 	iptables -t nat -N CUSTOMPOSTROUTING
 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING

+	# Chains for networks known as being hostile, posing a technical threat to our users
+	# (i. e. listed at Spamhaus DROP et al.)
+	iptables -N HOSTILE
+	iptables -A INPUT -j HOSTILE
+	iptables -A FORWARD -j HOSTILE
+	iptables -A OUTPUT -j HOSTILE
+
+	iptables -N HOSTILE_DROP
+	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
+
 	# IPS (Guardian) chains
 	iptables -N GUARDIAN
 	iptables -A INPUT -j GUARDIAN
@@ -259,17 +270,6 @@ iptables_init() {
 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
 	fi

-	# Chains for networks known as being hostile, posing a technical threat to our users
-	# (i. e. listed at Spamhaus DROP et al.)
-	iptables -N HOSTILE
-	iptables -A INPUT -j HOSTILE
-	iptables -A FORWARD -j HOSTILE
-	iptables -A OUTPUT -j HOSTILE
-
-	iptables -N HOSTILE_DROP
-	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
-	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
-
 	# Tor (inbound)
 	iptables -N TOR_INPUT
 	iptables -A INPUT -j TOR_INPUT