Block of 69.42.215.252 (freedns.afraid)

casabenedetti · 11 March 2024 00:51

Yes. I agree with you. Carelessly touching iptables rules can severely compromise the security of the firewall. And I am not convinced that unblocking that IP as I did is perfect. Contrary to that,I suspect that to unblock that IP, you can only use iptables. Let’s wait for more detailed suggestions.

casabenedetti · 11 March 2024 13:55

I just read Michael Tremer’s post.
And my thoughts go back to my initial thoughts:
<<I don’t think it’s good to unblock that IP. >>

https://bugzilla.ipfire.org/show_bug.cgi?id=13628#c4

casabenedetti · 15 March 2024 14:54

I just installed CU 184.
I can confirm that “afraid” is still blocked by default.
I noticed a change regarding Chains.
HOSTILE_DROP is now divided into:
HOSTILE_DROP_IN
HOSTILE_DROP_OUT

In fact, the rules I created previously no longer work. I had to modify them as follows:

iptables -I HOSTILE_DROP_OUT -p tcp -d 69.42.215.252 --dport 443 -j ACCEPT
iptables -I HOSTILE_DROP_IN -p tcp -s 69.42.215.252 --sport 443 -j ACCEPT

Of course, mine are only tests.
I believe it is good to keep the IP blocked until more is known .

raffe · 1 November 2024 07:15

Hi! Is using custom rules for freedns.afraid in /etc/sysconfig/firewall.local still the only way?

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here

        iptables -C HOSTILE_DROP_OUT -p tcp -d 69.42.215.252 --dport 443 -j ACCEPT
        if [ $? -eq 1 ]
        then
                iptables -I HOSTILE_DROP_OUT -p tcp -d 69.42.215.252 --dport 443 -j ACCEPT
        fi

        iptables -C HOSTILE_DROP_IN -p tcp -s 69.42.215.252 --sport 443 -j ACCEPT
        if [ $? -eq 1 ]
        then
                iptables -I HOSTILE_DROP_IN -p tcp -s 69.42.215.252 --sport 443 -j ACCEPT
        fi

        ;;
  stop)
        ## add your 'stop' rules here

        iptables -D HOSTILE_DROP_OUT -p tcp -d 69.42.215.252 --dport 443 -j ACCEPT
        iptables -D HOSTILE_DROP_IN -p tcp -s 69.42.215.252 --sport 443 -j ACCEPT

        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac

casabenedetti · 1 November 2024 08:14

Yes, and I’m afraid there is no other solution. Even if a gui interface were implemented, the concept is the same, as long as the service is not moved to an “unbanned” server, but that has to be done by the afraid.dns administrator.