From b2eb5b07826d590319dd81e5d5b9506543ef3507 Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Sat, 11 Dec 2010 10:01:27 +0100
Subject: [PATCH] Handle loopback on input before NEW,NOTSYN check. Many
 programs like squid/squidguard spam the log without this.

---
 src/initscripts/init.d/firewall | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index fea8d87e84..88889a4c26 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -188,10 +188,10 @@ case "$1" in
 	/sbin/iptables -A FORWARD -j OUTGOINGFW
 
 	# localhost and ethernet.
-	/sbin/iptables -A INPUT   -i lo          -m state --state NEW -j ACCEPT
+	/sbin/iptables -I INPUT 1 -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -m state --state NEW -j ACCEPT
 	/sbin/iptables -A INPUT   -s 127.0.0.0/8 -m state --state NEW -j DROP   # Loopback not on lo
 	/sbin/iptables -A INPUT   -d 127.0.0.0/8 -m state --state NEW -j DROP
-	/sbin/iptables -A FORWARD -i lo          -m state --state NEW -j ACCEPT
+	/sbin/iptables -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -m state --state NEW -j ACCEPT
 	/sbin/iptables -A FORWARD -s 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A FORWARD -d 127.0.0.0/8 -m state --state NEW -j DROP
 	/sbin/iptables -A INPUT   -i $GREEN_DEV  -m state --state NEW -j ACCEPT ! -p icmp
-- 
2.39.2