From 4d25c1f39af51795e61855166a3aa24b6af97a17 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Sat, 18 Dec 2021 14:47:56 +0100 Subject: [PATCH] firewall: Accept inbound Tor traffic before applying the location filter MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Inbound Tor traffic conflicts with Location block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into Location block chain. Note this affects Tor relay operators only. Rolled forward as ongoing from https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org/, note the documentation in the wiki needs to be updated once this landed in production. Signed-off-by: Peter Müller --- src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 49c6b7bf91..cc5baa2924 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -227,6 +227,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi + # Tor (inbound) + iptables -N TOR_INPUT + iptables -A INPUT -j TOR_INPUT + # Location Block iptables -N LOCATIONBLOCK iptables -A INPUT -j LOCATIONBLOCK @@ -260,9 +264,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT - # Tor (inbound and outbound) - iptables -N TOR_INPUT - iptables -A INPUT -j TOR_INPUT + # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT -- 2.39.5