firewall: Make blocking all traffic impossible on HOSTILE

The current setup can fail and block all traffic on RED if the RETURN
rules could not be created.

This can happen when the kernel fails to load the ipset module, as it is
the case after upgrading to a new kernel. Restarting the firewall will
cause that the system is being cut off the internet.

This design now changes that if those rules cannot be created, the
DROP_HOSTILE feature is just inactive, but it would not disrupt any
traffic.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 57f4809b4e22cfe621cba27c0c05a9dae46ada37..d713049867f4ee7a9cb198cc85cf8225dd7eadf5 100644 (file)
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -701,15 +701,9 @@ sub drop_hostile_networks () {
        # Call function to load the network list of hostile networks.
        &ipset_restore($HOSTILE_CCODE);
 
-       # Setup rules to pass traffic which does not belong to a hostile network.
-       run("$IPTABLES -A HOSTILE -i $RED_DEV -m set ! --match-set $HOSTILE_CCODE src -j RETURN");
-       run("$IPTABLES -A HOSTILE -o $RED_DEV -m set ! --match-set $HOSTILE_CCODE dst -j RETURN");
-
-       # Setup logging.
-       run("$IPTABLES -A HOSTILE -m limit --limit 10/second -j LOG  --log-prefix \"DROP_HOSTILE \"");
-
-       # Drop traffic from/to hostile network.
-        run("$IPTABLES -A HOSTILE -j DROP -m comment --comment \"DROP_HOSTILE\"");
+       # Check traffic in incoming/outgoing direction and drop if it matches
+       run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP");
+       run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP");
 }
 
 sub get_protocols {

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2c4d3163b6839304140c65c333b245be1bd24d18..2a70feac2a091d59857885d7c6d0ce2e423ef668 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -262,10 +262,13 @@ iptables_init() {
        # Chains for networks known as being hostile, posing a technical threat to our users
        # (i. e. listed at Spamhaus DROP et al.)
        iptables -N HOSTILE
-       iptables -A INPUT -i $IFACE -j HOSTILE
-       iptables -A FORWARD -i $IFACE -j HOSTILE
-       iptables -A FORWARD -o $IFACE -j HOSTILE
-       iptables -A OUTPUT -o $IFACE -j HOSTILE
+       iptables -A INPUT -j HOSTILE
+       iptables -A FORWARD -j HOSTILE
+       iptables -A OUTPUT -j HOSTILE
+
+       iptables -N HOSTILE_DROP
+       iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+       iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
 
        # Tor (inbound)
        iptables -N TOR_INPUT