From 693a45bbf00bf16625c14ad506069dcae7e8f9d2 Mon Sep 17 00:00:00 2001
From: Stephane de Labrusse <stephdl@de-labrusse.fr>
Date: Wed, 20 Mar 2024 08:47:19 +0100
Subject: [PATCH] Update firewall rules to insert DROP rule at position 1

---
 imageroot/bin/firewall-rules | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/imageroot/bin/firewall-rules b/imageroot/bin/firewall-rules
index fa1deb2..c3ce1ae 100755
--- a/imageroot/bin/firewall-rules
+++ b/imageroot/bin/firewall-rules
@@ -16,8 +16,8 @@ if [[ $action == 'create-ipset' ]]; then
     firewall-cmd --reload
 elif [[ $action == 'add-rule' ]]; then
     # we cannot use --permanent option here, because the set of ipset won't be seen by crowdsec-firewall-bouncer.service
-    iptables -I INPUT 0 -m set --match-set crowdsec-blacklists src -j DROP
-    ip6tables -I INPUT 0 -m set --match-set  crowdsec6-blacklists src -j DROP
+    iptables -I INPUT 1 -m set --match-set crowdsec-blacklists src -j DROP
+    ip6tables -I INPUT 1 -m set --match-set  crowdsec6-blacklists src -j DROP
 elif [[ $action == 'remove-rule' ]]; then
     iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP
     ip6tables -D INPUT -m set --match-set crowdsec6-blacklists src -j DROP