[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfire-development
Subject:    [PATCH 02/11] firewall: Accept inbound Tor traffic before applying the location filter
From:       Peter_Müller <peter.mueller () ipfire ! org>
Date:       2021-12-18 13:47:56
Message-ID: 4347b799-f863-9870-50d2-683b8c078670 () ipfire ! org
[Download RAW message or body]

Inbound Tor traffic conflicts with Location block as inbound connections
have to be accepted from many parts of the world. To solve this,
inbound Tor traffic has to be accepted before jumping into Location block
chain.

Note this affects Tor relay operators only.

Rolled forward as ongoing from
https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org/,
note the documentation in the wiki needs to be updated once this landed
in production.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 src/initscripts/system/firewall | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 49c6b7bf9..cc5baa292 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -227,6 +227,10 @@ iptables_init() {
 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
 	fi
 
+	# Tor (inbound)
+	iptables -N TOR_INPUT
+	iptables -A INPUT -j TOR_INPUT
+
 	# Location Block
 	iptables -N LOCATIONBLOCK
 	iptables -A INPUT -j LOCATIONBLOCK
@@ -260,9 +264,7 @@ iptables_init() {
 	iptables -N OVPNINPUT
 	iptables -A INPUT -j OVPNINPUT
 
-	# Tor (inbound and outbound)
-	iptables -N TOR_INPUT
-	iptables -A INPUT -j TOR_INPUT
+	# Tor (outbound)
 	iptables -N TOR_OUTPUT
 	iptables -A OUTPUT -j TOR_OUTPUT
 
-- 
2.26.2
[prev in list] [next in list] [prev in thread] [next in thread]