wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:firewall:firewall.local

firewall.local

/etc/sysconfig/firewall.local is a shell script file for custom configurations that cannot be configured with the firewall GUI. The firewall.local is a simple bash script and only can be edit with a text editor. It is executed with root permissions every time when the firewall is loaded.

Common use cases

Common use cases for this is adding additional iptables rules. Those should be added in the “start” section and be removed correspondingly in the “stop” section.

Despite adding firewall rules, you may also start and stop system services or anything else that is scriptable.

iptables chains for custom rules

Instead of altering the default iptables chains (which can be very dangerous when the firewall ruleset does not work as intended anymore), there are extra chains that MUST be used for this. Packets pass these chains BEFORE they go through the rest of the ruleset.

Use CUSTOMINPUT, CUSTOMFORWARD and CUSTOMOUTPUT in the filter table; and CUSTOMPREROUTING, CUSTOMPOSTROUTING and CUSTOMOUTPUT in the nat table.

Load IP-Blacklist from file

It is feasible to load IPs from a file into the firewall.local. Note, the longer the IP list, the longer booting will take.

A reason to add IPs here to be blocked might be to avoid a infected Client to load additional rubbish from a botnet / control server. In this case the traffic would be Client originated and hence IPFire would allow this.

  • Precondition
    • a file /etc/sysconfig/blacklist exists
    • this contains IPs only (one IP per line) without any blank, special characters
    • See the link below to load a script from the forum that generates this file
  • Open config file
vim /etc/sysconfig/firewall.local
  • Change to
#!/bin/sh
# Used for private firewall rules

BLACKLIST="/etc/sysconfig/blacklist"

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
        #iptables -A CUSTOMINPUT -s 222.186.30.110 -j DROP
        for BLACKLIST in `cat $BLACKLIST`; do
         iptables -A CUSTOMINPUT -s $BLACKLIST -j DROP
         #echo "dropping $BLACKLIST ..."
        done
        ;;
  stop)
        ## add your 'stop' rules here
        #iptables -D CUSTOMINPUT -s 222.186.30.110 -j DROP
        for BLACKLIST in `cat $BLACKLIST`; do
         iptables -D CUSTOMINPUT -s $BLACKLIST -j DROP
         #echo "dropping $BLACKLIST ..."
        done
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac

Source: Forum

configuration/firewall/firewall.local.txt · Last modified: 2015/01/03 12:38 by Cybermaze