firewall: Make blocking all traffic impossible on HOSTILE

The current setup can fail and block all traffic on RED if the RETURN rules could not be created. This can happen when the kernel fails to load the ipset module, as it is the case after upgrading to a new kernel. Restarting the firewall will cause that the system is being cut off the internet. This design now changes that if those rules cannot be created, the DROP_HOSTILE feature is just inactive, but it would not disrupt any traffic. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 18:45:54 +02:00 · 2022-03-11 14:43:11 +00:00
parent 46b8eb9e7f
commit e77d960bac
2 changed files with 10 additions and 13 deletions
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -262,10 +262,13 @@ iptables_init() {
 	# Chains for networks known as being hostile, posing a technical threat to our users
 	# (i. e. listed at Spamhaus DROP et al.)
 	iptables -N HOSTILE
-	iptables -A INPUT -i $IFACE -j HOSTILE
-	iptables -A FORWARD -i $IFACE -j HOSTILE
-	iptables -A FORWARD -o $IFACE -j HOSTILE
-	iptables -A OUTPUT -o $IFACE -j HOSTILE
+	iptables -A INPUT -j HOSTILE
+	iptables -A FORWARD -j HOSTILE
+	iptables -A OUTPUT -j HOSTILE
+
+	iptables -N HOSTILE_DROP
+	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"

 	# Tor (inbound)
 	iptables -N TOR_INPUT