diff --git a/CHANGES b/CHANGES index 1114b4f49..576de1aa2 100644 --- a/CHANGES +++ b/CHANGES @@ -2718,4 +2718,4 @@ * postgres: enable cube and earthdistance extensions * Add ability to register a Cloudron with a setupToken only * support: replace ticket section with help section - +* firewall: increase blocklist size to 262144 diff --git a/setup/start/cloudron-firewall.sh b/setup/start/cloudron-firewall.sh index 3da9608d7..8543efcd6 100755 --- a/setup/start/cloudron-firewall.sh +++ b/setup/start/cloudron-firewall.sh @@ -18,22 +18,26 @@ function ipxtables() { ipxtables -t filter -N CLOUDRON || true ipxtables -t filter -F CLOUDRON # empty any existing rules -# first setup any user IP block lists -ipset create cloudron_blocklist hash:net || true -ipset create cloudron_blocklist6 hash:net family inet6 || true +# first setup any user IP block lists . remove all references in iptables before destroying them +echo "==> Creating ipset cloudron_blocklist" +$iptables -t filter -D DOCKER-USER -m set --match-set cloudron_blocklist src -j DROP || true +sleep 1 # without this there is a race that iptables is still referencing the ipset +ipset destroy cloudron_blocklist || true +ipset create cloudron_blocklist hash:net maxelem 262144 || true # if you change the size, change network.js size check + +echo "==> Creating ipset cloudron_blocklist6" +$ip6tables -D FORWARD -m set --match-set cloudron_blocklist6 src -j DROP || true +sleep 1 # without this there is a race that iptables is still referencing the ipset +ipset destroy cloudron_blocklist6 || true +ipset create cloudron_blocklist6 hash:net family inet6 maxelem 262144 || true # if you change the size, change network.js size check /home/yellowtent/box/src/scripts/setblocklist.sh $iptables -t filter -A CLOUDRON -m set --match-set cloudron_blocklist src -j DROP -# the DOCKER-USER chain is not cleared on docker restart -if ! $iptables -t filter -C DOCKER-USER -m set --match-set cloudron_blocklist src -j DROP; then - $iptables -t filter -I DOCKER-USER 1 -m set --match-set cloudron_blocklist src -j DROP -fi +$iptables -t filter -I DOCKER-USER 1 -m set --match-set cloudron_blocklist src -j DROP # the DOCKER-USER chain is not cleared on docker restart $ip6tables -t filter -A CLOUDRON -m set --match-set cloudron_blocklist6 src -j DROP -# there is no DOCKER-USER chain in ip6tables, bug? -$ip6tables -D FORWARD -m set --match-set cloudron_blocklist6 src -j DROP || true -$ip6tables -I FORWARD 1 -m set --match-set cloudron_blocklist6 src -j DROP +$ip6tables -I FORWARD 1 -m set --match-set cloudron_blocklist6 src -j DROP # there is no DOCKER-USER chain in ip6tables, bug? # allow related and establisted connections ipxtables -t filter -A CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT @@ -54,10 +58,16 @@ if allowed_udp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${ports_ fi # LDAP user directory allow list -ipset create cloudron_ldap_allowlist hash:net || true +if ! ipset list cloudron_ldap_allowlist >/dev/null 2>&1; then + echo "==> Creating the cloudron_ldap_allowlist ipset" + ipset create cloudron_ldap_allowlist hash:net +fi ipset flush cloudron_ldap_allowlist -ipset create cloudron_ldap_allowlist6 hash:net family inet6 || true +if ! ipset list cloudron_ldap_allowlist6 >/dev/null 2>&1; then + echo "==> Creating the cloudron_ldap_allowlist6 ipset" + ipset create cloudron_ldap_allowlist6 hash:net family inet6 +fi ipset flush cloudron_ldap_allowlist6 ldap_allowlist_json="/home/yellowtent/platformdata/firewall/ldap_allowlist.txt" diff --git a/src/network.js b/src/network.js index 6611bca34..ae205d747 100644 --- a/src/network.js +++ b/src/network.js @@ -92,7 +92,7 @@ async function setBlocklist(blocklist, auditSource) { ++count; } - if (count >= 65536) throw new BoxError(BoxError.CONFLICT, 'Blocklist is too large. Max 65536 entries are allowed'); // https://ipset.netfilter.org/ipset.man.html (maxelem) + if (count >= 262144) throw new BoxError(BoxError.CONFLICT, 'Blocklist is too large. Max 262144 entries are allowed'); // see the cloudron-firewall.sh if (constants.DEMO) throw new BoxError(BoxError.CONFLICT, 'Not allowed in demo mode'); // store in blob since the value field is TEXT and has 16kb size limit