rules.pl: Fixes bug12981 - Add in and out specific actions for drop hostile - This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each independently. Fixes: bug12981 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Acked-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
firewall: Allow traffic from multicast networks The multicast network segment 224.0.0.0/4 is used for a lot of different services provided by the local ISP's. (IPTV etc.) We have to allow traffic from this networks when using one of the BOGON blocklists in order to get those ISP services still accessable. https://www.iana.org/assignments/multicast-addresses/multicast-addresses.xhtml Fixes 13092. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
firewall: Avoid creating a rule that permits all traffic on invalid source The firewall engine generated rules that did not have any traffic selectors due to an improperly initialized variable in the source. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org>
rules.pl: Do not check private networks against ipblocklists. In case some of these private networks are part of an used blocklist this kind of traffic needs to be allowed. Otherwise some services may not work properly. For example: In case one ore more IPSec N2N connections are configured no traffic can be passed through it, if the used networks are part of an blocklist. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
rules.pl: Refactor logic to handle the IP blocklist feature. * Fixes that the same chain would be created each time a firewall reload is performed. * Also fixes multiple log and drop rules inside the the BLOCKLIST_DROP chains after doing a firewall reload. * Orphaned BLOCKLIST_DROP chains now will be flushed and removed in case the blocklist gets disabled or the entire feature will be swithed off. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
rules.pl: Fix automatic ipset sets cleanup. The array of used/loaded ipsets needs to be reloaded before the cleanup can be started to also handle sets which are loaded during runtime. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org>
rules.pl: Fix creating rules for location based groups. The former used hash value only contains the country code when a rule for a single country should be created. In case a location group is used the hash value refers to the group name, which does not work here. The required country code is part of the processed string and can be omitted from here. This works well for single codes and location groups, because those are processed in a loop. Fixes #12809. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org>
firewall: Make blocking all traffic impossible on HOSTILE The current setup can fail and block all traffic on RED if the RETURN rules could not be created. This can happen when the kernel fails to load the ipset module, as it is the case after upgrading to a new kernel. Restarting the firewall will cause that the system is being cut off the internet. This design now changes that if those rules cannot be created, the DROP_HOSTILE feature is just inactive, but it would not disrupt any traffic. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>