firewall: Reject outgoing TCP connections to port 25 by default

This will affect new IPFire installations only, implementing a
long-standing BCP for preemptively combating botnet spam. Reject is
chosen over drop to reduce the likelihood for confusion during network
troubleshooting.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Tested-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/config/firewall/config b/config/firewall/config
new file mode 100644 (file)
index 0000000..c871576
--- /dev/null
+++ b/config/firewall/config
@@ -0,0 +1 @@
+1,REJECT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,RED,,TCP,,,ON,,,cust_srv,SMTP,Block port 25 (TCP) for outgoing connections to the internet,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second

diff --git a/lfs/configroot b/lfs/configroot
index 2c09ae4a8b2bce891bc162e007259c36b45f648f..66efe04b5f0d3cd92937f503ce595595296f9217 100644 (file)
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2023  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -64,7 +64,7 @@ $(TARGET) :
        for i in auth/users backup/include.user backup/exclude.user \
            captive/settings captive/agb.txt captive/clients captive/voucher_out certs/index.txt certs/index.txt.attr ddns/config ddns/settings ddns/ipcache dhcp/settings \
            dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dns/servers dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
-           ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/locationblock firewall/input firewall/outgoing \
+           ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings firewall/settings firewall/locationblock firewall/input firewall/outgoing \
            fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwhosts/customlocationgrp fwlogs/ipsettings fwlogs/portsettings ipblocklist/modified \
            ipblocklist/settings mac/settings main/hosts main/routing main/security main/settings optionsfw/settings \
            ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
@@ -102,6 +102,7 @@ $(TARGET) :
        cp $(DIR_SRC)/config/cfgroot/logging-settings           $(CONFIG_ROOT)/logging/settings
        cp $(DIR_SRC)/config/cfgroot/ethernet-vlans             $(CONFIG_ROOT)/ethernet/vlans
        cp $(DIR_SRC)/langs/list                                $(CONFIG_ROOT)/langs/
+       cp $(DIR_SRC)/config/firewall/config                    $(CONFIG_ROOT)/firewall/config
        cp $(DIR_SRC)/config/firewall/convert-xtaccess          /usr/sbin/convert-xtaccess
        cp $(DIR_SRC)/config/firewall/convert-outgoingfw        /usr/sbin/convert-outgoingfw
        cp $(DIR_SRC)/config/firewall/convert-dmz               /usr/sbin/convert-dmz