From: Michael Tremer Date: Wed, 14 Oct 2020 10:32:05 +0000 (+0100) Subject: firewall: Filter only on RED and exclude any private address space X-Git-Tag: v2.25-core151~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c69c820025c21713cdb77eae3dd4fa61ca71b5fb;p=ipfire-2.x.git firewall: Filter only on RED and exclude any private address space Since libloc is built as a tree we cannot simply exclude any address space in the middle of it. Therefore we create some firewall rules which simply avoid checking non-globally routable address space. Fixes: #12499 Signed-off-by: Michael Tremer --- diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index cad53a1d79..c2641a92d3 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -48,6 +48,13 @@ my @PROTOCOLS_WITH_PORTS = ("tcp", "udp"); my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT"); +my @PRIVATE_NETWORKS = ( + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16", + "100.64.0.0/10", +); + my %fwdfwsettings=(); my %fwoptions = (); my %defaultNetworks=(); @@ -621,6 +628,16 @@ sub locationblock { return; } + # Only check the RED interface + if ($defaultNetworks{'RED_DEV'} ne "") { + run("$IPTABLES -A LOCATIONBLOCK ! -i $defaultNetworks{'RED_DEV'} -j RETURN"); + } + + # Do not check any private address space + foreach my $network (@PRIVATE_NETWORKS) { + run("$IPTABLES -A LOCATIONBLOCK -s $network -j RETURN"); + } + # Loop through all supported locations and # create iptables rules, if blocking for this country # is enabled. diff --git a/config/rootfiles/core/151/filelists/files b/config/rootfiles/core/151/filelists/files index 8223d97de5..9910e1bf94 100644 --- a/config/rootfiles/core/151/filelists/files +++ b/config/rootfiles/core/151/filelists/files @@ -10,6 +10,7 @@ srv/web/ipfire/cgi-bin/ipinfo.cgi srv/web/ipfire/cgi-bin/pakfire.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/bin/probenic.sh +usr/lib/firewall/rules.pl usr/local/bin/ipsecctrl var/ipfire/general-functions.pl var/ipfire/langs