In case some of these private networks are part of an used blocklist
this kind of traffic needs to be allowed. Otherwise some services may
not work properly.
For example:
In case one ore more IPSec N2N connections are configured no traffic can
be passed through it, if the used networks are part of an blocklist.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Flush the DROP chains of the blocklist chains while reloading the
firewall. Otherwise the log rules will stay even if logging has been
disabled in the meantime.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Placing the ipblocklist sources file as an own package, easily
allows to update this single file during a core update and to
keep the vendor details for the blocklists up-to-date.
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
* Fixes that the same chain would be created each time a firewall
reload is performed.
* Also fixes multiple log and drop rules inside the the BLOCKLIST_DROP
chains after doing a firewall reload.
* Orphaned BLOCKLIST_DROP chains now will be flushed and removed in case
the blocklist gets disabled or the entire feature will be swithed off.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The support for themes has been removed since ages, so we
do not need this anymore and may crash the page.
Signed-off-by: Rob Brewer <rob.brewer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
given list.
The function will return the rate in seconds based on the configured
rate value in the blocklist sources file and the given blocklist.
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
not parse-able.
In case the downloaded list is empty or the parser is not able to parse
it properly, the download_and_create_blocklist() function now exits and
will return "empty_list" as new error code.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This vendor has a different list format and therefore requires an
own parser.
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is responisible for downloading and converting the
blocklist into an ipset compatible format.
The only required argument is the blocklist (in upper letter format) which should be
performed. It automatically will setup an upstream proxy (if configured)
and grab the file specified in the blocklist vendor configuration hash.
There is a maximum amount of five attempts until the script gives up and
returns a "dl_error". In case the server responses with "Not Modified"
(Code 304) a "not_modified" will be returned.
If the blocklist successfully has been grabbed, the modification date
get stored for further purposes and the list content will be converted
and stored in an ipset compatible format.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Inspired-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
This library file will contain a collection of functions, which are
required to deal with the ipblocklist feature.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
