Added (untested) firewall block when IP addresses are blacklisted

If the configuration variable 'firewall_blacklist_destination' is
set, it will insert DROP rules when a blacklisted IP address is
attempted.

Feature not tested yet.

1 files changed, 10 insertions, 0 deletions

diff --git a/plugin/eurephia.c b/plugin/eurephia.c
index 7454b1f..0e8e39c 100644
--- a/plugin/eurephia.c
+++ b/plugin/eurephia.c
@@ -257,6 +257,11 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth)
         ipaddr = (char *) get_env(ctx, 0, env, "untrusted_ip");
         if( eDBblacklist_check(ctx, attempt_IPADDR, ipaddr) == 1 ) {
                 eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr);
+
+                // If fw blacklisting is configured, also blacklist there too
+                if( (ctx->fwcfg != NULL) && (ctx->fwcfg->fwblacklist != NULL ) ) {
+                        eFW_UpdateFirewall(ctx, FWRULE_BLACKLIST, ipaddr, ctx->fwcfg->fwblacklist, NULL);
+                }
                 return 0;
         }
 
@@ -311,6 +316,11 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env)
         ipaddr = (char *) get_env(ctx, 0, env, "untrusted_ip");
         if( eDBblacklist_check(ctx, attempt_IPADDR, ipaddr) == 1 ) {
                 eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr);
+
+                // If fw blacklisting is configured, also blacklist there too
+                if( (ctx->fwcfg != NULL) && (ctx->fwcfg->fwblacklist != NULL ) ) {
+                        eFW_UpdateFirewall(ctx, FWRULE_BLACKLIST, ipaddr, ctx->fwcfg->fwblacklist, NULL);
+                }
                 return 0;
         }