* [PATCH] firewall: Accept traffic on loopback interface if source and destination are within 127.0.0.0/8 only @ 2020-05-13 20:21 Peter Müller 2020-05-14 10:36 ` Michael Tremer 0 siblings, 1 reply; 9+ messages in thread From: Peter Müller @ 2020-05-13 20:21 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1368 bytes --] This ensures traffic on the loopback interface matches the IPv4 loopback characteristics (source and destination are within 127.0.0.0/8) and prevents any damage in the unlikely case of non-loopback traffic being injected/emitted (in)to the loopback interface. Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> Cc: Michael Tremer <michael.tremer(a)ipfire.org> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- src/initscripts/system/firewall | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 00512d9fa..409aaf7a9 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -219,10 +219,10 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT - # Accept everything on loopback + # Accept everything on loopback if both source and destination are within 127.0.0.0/8 iptables -N LOOPBACK - iptables -A LOOPBACK -i lo -j ACCEPT - iptables -A LOOPBACK -o lo -j ACCEPT + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT # Filter all packets with loopback addresses on non-loopback interfaces. iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP -- 2.26.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] firewall: Accept traffic on loopback interface if source and destination are within 127.0.0.0/8 only 2020-05-13 20:21 [PATCH] firewall: Accept traffic on loopback interface if source and destination are within 127.0.0.0/8 only Peter Müller @ 2020-05-14 10:36 ` Michael Tremer 2020-05-18 21:03 ` Matthias Fischer 0 siblings, 1 reply; 9+ messages in thread From: Michael Tremer @ 2020-05-14 10:36 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1676 bytes --] Hello, This is indeed *very* unlikely, but I am okay with this patch being accepted. Acked-by: Michael Tremer <michael.tremer(a)ipfire.org> Best, -Michael > On 13 May 2020, at 21:21, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > This ensures traffic on the loopback interface matches the IPv4 > loopback characteristics (source and destination are within 127.0.0.0/8) > and prevents any damage in the unlikely case of non-loopback traffic > being injected/emitted (in)to the loopback interface. > > Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> > Cc: Michael Tremer <michael.tremer(a)ipfire.org> > Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> > --- > src/initscripts/system/firewall | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > index 00512d9fa..409aaf7a9 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -219,10 +219,10 @@ iptables_init() { > iptables -A INPUT -j ICMPINPUT > iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT > > - # Accept everything on loopback > + # Accept everything on loopback if both source and destination are within 127.0.0.0/8 > iptables -N LOOPBACK > - iptables -A LOOPBACK -i lo -j ACCEPT > - iptables -A LOOPBACK -o lo -j ACCEPT > + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT > + iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT > > # Filter all packets with loopback addresses on non-loopback interfaces. > iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP > -- > 2.26.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] firewall: Accept traffic on loopback interface if source and destination are within 127.0.0.0/8 only 2020-05-14 10:36 ` Michael Tremer @ 2020-05-18 21:03 ` Matthias Fischer 2020-05-19 8:20 ` Michael Tremer 2020-05-19 13:06 ` Peter Müller 0 siblings, 2 replies; 9+ messages in thread From: Matthias Fischer @ 2020-05-18 21:03 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2257 bytes --] Hi, perhaps its only me, but after applying this patch for testing purposes I don't see any (redirected) urlfilter block pages anymore. Only the firewall logs are telling me: ... REJECT_INPUT lo TCP 192.168.100.254 53464 192.168.100.254 81 ... I had to build a new "Incoming Firewall Access" rule (INPUTFW) allowing TCP traffic from (e.g.) 192.168.100.254/32 to GREEN (192.168.100.254) to TCP port 81 to see a block page again... Only me? Best, Matthias On 14.05.2020 12:36, Michael Tremer wrote: > Hello, > > This is indeed *very* unlikely, but I am okay with this patch being accepted. > > Acked-by: Michael Tremer <michael.tremer(a)ipfire.org> > > Best, > -Michael > >> On 13 May 2020, at 21:21, Peter Müller <peter.mueller(a)ipfire.org> wrote: >> >> This ensures traffic on the loopback interface matches the IPv4 >> loopback characteristics (source and destination are within 127.0.0.0/8) >> and prevents any damage in the unlikely case of non-loopback traffic >> being injected/emitted (in)to the loopback interface. >> >> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> >> Cc: Michael Tremer <michael.tremer(a)ipfire.org> >> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >> --- >> src/initscripts/system/firewall | 6 +++--- >> 1 file changed, 3 insertions(+), 3 deletions(-) >> >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >> index 00512d9fa..409aaf7a9 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -219,10 +219,10 @@ iptables_init() { >> iptables -A INPUT -j ICMPINPUT >> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >> >> - # Accept everything on loopback >> + # Accept everything on loopback if both source and destination are within 127.0.0.0/8 >> iptables -N LOOPBACK >> - iptables -A LOOPBACK -i lo -j ACCEPT >> - iptables -A LOOPBACK -o lo -j ACCEPT >> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >> + iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >> >> # Filter all packets with loopback addresses on non-loopback interfaces. >> iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >> -- >> 2.26.1 > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] firewall: Accept traffic on loopback interface if source and destination are within 127.0.0.0/8 only 2020-05-18 21:03 ` Matthias Fischer @ 2020-05-19 8:20 ` Michael Tremer 2020-05-19 8:21 ` Michael Tremer 2020-05-19 13:06 ` Peter Müller 1 sibling, 1 reply; 9+ messages in thread From: Michael Tremer @ 2020-05-19 8:20 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2515 bytes --] Okay, thanks for testing this. I will ask Arne to revert it. -Michael > On 18 May 2020, at 22:03, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote: > > Hi, > > perhaps its only me, but after applying this patch for testing purposes > I don't see any (redirected) urlfilter block pages anymore. > > Only the firewall logs are telling me: > > ... > REJECT_INPUT lo TCP 192.168.100.254 53464 192.168.100.254 81 > ... > > I had to build a new "Incoming Firewall Access" rule (INPUTFW) allowing > TCP traffic from (e.g.) 192.168.100.254/32 to GREEN (192.168.100.254) to > TCP port 81 to see a block page again... > > Only me? > > Best, > Matthias > > On 14.05.2020 12:36, Michael Tremer wrote: >> Hello, >> >> This is indeed *very* unlikely, but I am okay with this patch being accepted. >> >> Acked-by: Michael Tremer <michael.tremer(a)ipfire.org> >> >> Best, >> -Michael >> >>> On 13 May 2020, at 21:21, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>> >>> This ensures traffic on the loopback interface matches the IPv4 >>> loopback characteristics (source and destination are within 127.0.0.0/8) >>> and prevents any damage in the unlikely case of non-loopback traffic >>> being injected/emitted (in)to the loopback interface. >>> >>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> >>> Cc: Michael Tremer <michael.tremer(a)ipfire.org> >>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>> --- >>> src/initscripts/system/firewall | 6 +++--- >>> 1 file changed, 3 insertions(+), 3 deletions(-) >>> >>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >>> index 00512d9fa..409aaf7a9 100644 >>> --- a/src/initscripts/system/firewall >>> +++ b/src/initscripts/system/firewall >>> @@ -219,10 +219,10 @@ iptables_init() { >>> iptables -A INPUT -j ICMPINPUT >>> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >>> >>> - # Accept everything on loopback >>> + # Accept everything on loopback if both source and destination are within 127.0.0.0/8 >>> iptables -N LOOPBACK >>> - iptables -A LOOPBACK -i lo -j ACCEPT >>> - iptables -A LOOPBACK -o lo -j ACCEPT >>> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>> + iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>> >>> # Filter all packets with loopback addresses on non-loopback interfaces. >>> iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >>> -- >>> 2.26.1 >> > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] firewall: Accept traffic on loopback interface if source and destination are within 127.0.0.0/8 only 2020-05-19 8:20 ` Michael Tremer @ 2020-05-19 8:21 ` Michael Tremer 2020-05-19 8:35 ` Matthias Fischer 0 siblings, 1 reply; 9+ messages in thread From: Michael Tremer @ 2020-05-19 8:21 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2762 bytes --] Hi, False alarm. Turns out this isn’t merged, yet. Best, -Michael > On 19 May 2020, at 09:20, Michael Tremer <michael.tremer(a)ipfire.org> wrote: > > Okay, thanks for testing this. > > I will ask Arne to revert it. > > -Michael > >> On 18 May 2020, at 22:03, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote: >> >> Hi, >> >> perhaps its only me, but after applying this patch for testing purposes >> I don't see any (redirected) urlfilter block pages anymore. >> >> Only the firewall logs are telling me: >> >> ... >> REJECT_INPUT lo TCP 192.168.100.254 53464 192.168.100.254 81 >> ... >> >> I had to build a new "Incoming Firewall Access" rule (INPUTFW) allowing >> TCP traffic from (e.g.) 192.168.100.254/32 to GREEN (192.168.100.254) to >> TCP port 81 to see a block page again... >> >> Only me? >> >> Best, >> Matthias >> >> On 14.05.2020 12:36, Michael Tremer wrote: >>> Hello, >>> >>> This is indeed *very* unlikely, but I am okay with this patch being accepted. >>> >>> Acked-by: Michael Tremer <michael.tremer(a)ipfire.org> >>> >>> Best, >>> -Michael >>> >>>> On 13 May 2020, at 21:21, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>>> >>>> This ensures traffic on the loopback interface matches the IPv4 >>>> loopback characteristics (source and destination are within 127.0.0.0/8) >>>> and prevents any damage in the unlikely case of non-loopback traffic >>>> being injected/emitted (in)to the loopback interface. >>>> >>>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> >>>> Cc: Michael Tremer <michael.tremer(a)ipfire.org> >>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>>> --- >>>> src/initscripts/system/firewall | 6 +++--- >>>> 1 file changed, 3 insertions(+), 3 deletions(-) >>>> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >>>> index 00512d9fa..409aaf7a9 100644 >>>> --- a/src/initscripts/system/firewall >>>> +++ b/src/initscripts/system/firewall >>>> @@ -219,10 +219,10 @@ iptables_init() { >>>> iptables -A INPUT -j ICMPINPUT >>>> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >>>> >>>> - # Accept everything on loopback >>>> + # Accept everything on loopback if both source and destination are within 127.0.0.0/8 >>>> iptables -N LOOPBACK >>>> - iptables -A LOOPBACK -i lo -j ACCEPT >>>> - iptables -A LOOPBACK -o lo -j ACCEPT >>>> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>>> + iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>>> >>>> # Filter all packets with loopback addresses on non-loopback interfaces. >>>> iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >>>> -- >>>> 2.26.1 >>> >> > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] firewall: Accept traffic on loopback interface if source and destination are within 127.0.0.0/8 only 2020-05-19 8:21 ` Michael Tremer @ 2020-05-19 8:35 ` Matthias Fischer 0 siblings, 0 replies; 9+ messages in thread From: Matthias Fischer @ 2020-05-19 8:35 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 3046 bytes --] Hi, yes - sorry, forgot to mention this. Didn't want to make too much noise... Next time I'll write if "merged or not". ;-) Matthias On 19.05.2020 10:21, Michael Tremer wrote: > Hi, > > False alarm. Turns out this isn’t merged, yet. > > Best, > -Michael > >> On 19 May 2020, at 09:20, Michael Tremer <michael.tremer(a)ipfire.org> wrote: >> >> Okay, thanks for testing this. >> >> I will ask Arne to revert it. >> >> -Michael >> >>> On 18 May 2020, at 22:03, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote: >>> >>> Hi, >>> >>> perhaps its only me, but after applying this patch for testing purposes >>> I don't see any (redirected) urlfilter block pages anymore. >>> >>> Only the firewall logs are telling me: >>> >>> ... >>> REJECT_INPUT lo TCP 192.168.100.254 53464 192.168.100.254 81 >>> ... >>> >>> I had to build a new "Incoming Firewall Access" rule (INPUTFW) allowing >>> TCP traffic from (e.g.) 192.168.100.254/32 to GREEN (192.168.100.254) to >>> TCP port 81 to see a block page again... >>> >>> Only me? >>> >>> Best, >>> Matthias >>> >>> On 14.05.2020 12:36, Michael Tremer wrote: >>>> Hello, >>>> >>>> This is indeed *very* unlikely, but I am okay with this patch being accepted. >>>> >>>> Acked-by: Michael Tremer <michael.tremer(a)ipfire.org> >>>> >>>> Best, >>>> -Michael >>>> >>>>> On 13 May 2020, at 21:21, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>>>> >>>>> This ensures traffic on the loopback interface matches the IPv4 >>>>> loopback characteristics (source and destination are within 127.0.0.0/8) >>>>> and prevents any damage in the unlikely case of non-loopback traffic >>>>> being injected/emitted (in)to the loopback interface. >>>>> >>>>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> >>>>> Cc: Michael Tremer <michael.tremer(a)ipfire.org> >>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>>>> --- >>>>> src/initscripts/system/firewall | 6 +++--- >>>>> 1 file changed, 3 insertions(+), 3 deletions(-) >>>>> >>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >>>>> index 00512d9fa..409aaf7a9 100644 >>>>> --- a/src/initscripts/system/firewall >>>>> +++ b/src/initscripts/system/firewall >>>>> @@ -219,10 +219,10 @@ iptables_init() { >>>>> iptables -A INPUT -j ICMPINPUT >>>>> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >>>>> >>>>> - # Accept everything on loopback >>>>> + # Accept everything on loopback if both source and destination are within 127.0.0.0/8 >>>>> iptables -N LOOPBACK >>>>> - iptables -A LOOPBACK -i lo -j ACCEPT >>>>> - iptables -A LOOPBACK -o lo -j ACCEPT >>>>> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>>>> + iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>>>> >>>>> # Filter all packets with loopback addresses on non-loopback interfaces. >>>>> iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >>>>> -- >>>>> 2.26.1 >>>> >>> >> > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] firewall: Accept traffic on loopback interface if source and destination are within 127.0.0.0/8 only 2020-05-18 21:03 ` Matthias Fischer 2020-05-19 8:20 ` Michael Tremer @ 2020-05-19 13:06 ` Peter Müller 2020-05-19 20:23 ` Matthias Fischer 2020-05-20 12:47 ` Michael Tremer 1 sibling, 2 replies; 9+ messages in thread From: Peter Müller @ 2020-05-19 13:06 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2474 bytes --] Hello Matthias, hello list, why is that traffic passing through the loopback interface?! Thanks, and best regards, Peter Müller > Hi, > > perhaps its only me, but after applying this patch for testing purposes > I don't see any (redirected) urlfilter block pages anymore. > > Only the firewall logs are telling me: > > ... > REJECT_INPUT lo TCP 192.168.100.254 53464 192.168.100.254 81 > ... > > I had to build a new "Incoming Firewall Access" rule (INPUTFW) allowing > TCP traffic from (e.g.) 192.168.100.254/32 to GREEN (192.168.100.254) to > TCP port 81 to see a block page again... > > Only me? > > Best, > Matthias > > On 14.05.2020 12:36, Michael Tremer wrote: >> Hello, >> >> This is indeed *very* unlikely, but I am okay with this patch being accepted. >> >> Acked-by: Michael Tremer <michael.tremer(a)ipfire.org> >> >> Best, >> -Michael >> >>> On 13 May 2020, at 21:21, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>> >>> This ensures traffic on the loopback interface matches the IPv4 >>> loopback characteristics (source and destination are within 127.0.0.0/8) >>> and prevents any damage in the unlikely case of non-loopback traffic >>> being injected/emitted (in)to the loopback interface. >>> >>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> >>> Cc: Michael Tremer <michael.tremer(a)ipfire.org> >>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>> --- >>> src/initscripts/system/firewall | 6 +++--- >>> 1 file changed, 3 insertions(+), 3 deletions(-) >>> >>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >>> index 00512d9fa..409aaf7a9 100644 >>> --- a/src/initscripts/system/firewall >>> +++ b/src/initscripts/system/firewall >>> @@ -219,10 +219,10 @@ iptables_init() { >>> iptables -A INPUT -j ICMPINPUT >>> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >>> >>> - # Accept everything on loopback >>> + # Accept everything on loopback if both source and destination are within 127.0.0.0/8 >>> iptables -N LOOPBACK >>> - iptables -A LOOPBACK -i lo -j ACCEPT >>> - iptables -A LOOPBACK -o lo -j ACCEPT >>> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>> + iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>> >>> # Filter all packets with loopback addresses on non-loopback interfaces. >>> iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >>> -- >>> 2.26.1 >> > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] firewall: Accept traffic on loopback interface if source and destination are within 127.0.0.0/8 only 2020-05-19 13:06 ` Peter Müller @ 2020-05-19 20:23 ` Matthias Fischer 2020-05-20 12:47 ` Michael Tremer 1 sibling, 0 replies; 9+ messages in thread From: Matthias Fischer @ 2020-05-19 20:23 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2785 bytes --] Hi, sorry, no idea. The only thing I've found is that "squidGuard uses Squid's [8]standard redirector interface". *If* 'squidguard' is the culprit here. Best, Matthias On 19.05.2020 15:06, Peter Müller wrote: > Hello Matthias, hello list, > > why is that traffic passing through the loopback interface?! > > Thanks, and best regards, > Peter Müller > >> Hi, >> >> perhaps its only me, but after applying this patch for testing purposes >> I don't see any (redirected) urlfilter block pages anymore. >> >> Only the firewall logs are telling me: >> >> ... >> REJECT_INPUT lo TCP 192.168.100.254 53464 192.168.100.254 81 >> ... >> >> I had to build a new "Incoming Firewall Access" rule (INPUTFW) allowing >> TCP traffic from (e.g.) 192.168.100.254/32 to GREEN (192.168.100.254) to >> TCP port 81 to see a block page again... >> >> Only me? >> >> Best, >> Matthias >> >> On 14.05.2020 12:36, Michael Tremer wrote: >>> Hello, >>> >>> This is indeed *very* unlikely, but I am okay with this patch being accepted. >>> >>> Acked-by: Michael Tremer <michael.tremer(a)ipfire.org> >>> >>> Best, >>> -Michael >>> >>>> On 13 May 2020, at 21:21, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>>> >>>> This ensures traffic on the loopback interface matches the IPv4 >>>> loopback characteristics (source and destination are within 127.0.0.0/8) >>>> and prevents any damage in the unlikely case of non-loopback traffic >>>> being injected/emitted (in)to the loopback interface. >>>> >>>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> >>>> Cc: Michael Tremer <michael.tremer(a)ipfire.org> >>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>>> --- >>>> src/initscripts/system/firewall | 6 +++--- >>>> 1 file changed, 3 insertions(+), 3 deletions(-) >>>> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >>>> index 00512d9fa..409aaf7a9 100644 >>>> --- a/src/initscripts/system/firewall >>>> +++ b/src/initscripts/system/firewall >>>> @@ -219,10 +219,10 @@ iptables_init() { >>>> iptables -A INPUT -j ICMPINPUT >>>> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >>>> >>>> - # Accept everything on loopback >>>> + # Accept everything on loopback if both source and destination are within 127.0.0.0/8 >>>> iptables -N LOOPBACK >>>> - iptables -A LOOPBACK -i lo -j ACCEPT >>>> - iptables -A LOOPBACK -o lo -j ACCEPT >>>> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>>> + iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>>> >>>> # Filter all packets with loopback addresses on non-loopback interfaces. >>>> iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >>>> -- >>>> 2.26.1 >>> >> > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] firewall: Accept traffic on loopback interface if source and destination are within 127.0.0.0/8 only 2020-05-19 13:06 ` Peter Müller 2020-05-19 20:23 ` Matthias Fischer @ 2020-05-20 12:47 ` Michael Tremer 1 sibling, 0 replies; 9+ messages in thread From: Michael Tremer @ 2020-05-20 12:47 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2881 bytes --] Hi, Because it is the shortest path. My system here has 192.168.190.1 on green0: [root(a)fw01 ~]# ip route get 192.168.190.1 local 192.168.190.1 dev lo table local src 192.168.190.1 uid 0 cache <local> -Michael > On 19 May 2020, at 14:06, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > Hello Matthias, hello list, > > why is that traffic passing through the loopback interface?! > > Thanks, and best regards, > Peter Müller > >> Hi, >> >> perhaps its only me, but after applying this patch for testing purposes >> I don't see any (redirected) urlfilter block pages anymore. >> >> Only the firewall logs are telling me: >> >> ... >> REJECT_INPUT lo TCP 192.168.100.254 53464 192.168.100.254 81 >> ... >> >> I had to build a new "Incoming Firewall Access" rule (INPUTFW) allowing >> TCP traffic from (e.g.) 192.168.100.254/32 to GREEN (192.168.100.254) to >> TCP port 81 to see a block page again... >> >> Only me? >> >> Best, >> Matthias >> >> On 14.05.2020 12:36, Michael Tremer wrote: >>> Hello, >>> >>> This is indeed *very* unlikely, but I am okay with this patch being accepted. >>> >>> Acked-by: Michael Tremer <michael.tremer(a)ipfire.org> >>> >>> Best, >>> -Michael >>> >>>> On 13 May 2020, at 21:21, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>>> >>>> This ensures traffic on the loopback interface matches the IPv4 >>>> loopback characteristics (source and destination are within 127.0.0.0/8) >>>> and prevents any damage in the unlikely case of non-loopback traffic >>>> being injected/emitted (in)to the loopback interface. >>>> >>>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> >>>> Cc: Michael Tremer <michael.tremer(a)ipfire.org> >>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>>> --- >>>> src/initscripts/system/firewall | 6 +++--- >>>> 1 file changed, 3 insertions(+), 3 deletions(-) >>>> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >>>> index 00512d9fa..409aaf7a9 100644 >>>> --- a/src/initscripts/system/firewall >>>> +++ b/src/initscripts/system/firewall >>>> @@ -219,10 +219,10 @@ iptables_init() { >>>> iptables -A INPUT -j ICMPINPUT >>>> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >>>> >>>> - # Accept everything on loopback >>>> + # Accept everything on loopback if both source and destination are within 127.0.0.0/8 >>>> iptables -N LOOPBACK >>>> - iptables -A LOOPBACK -i lo -j ACCEPT >>>> - iptables -A LOOPBACK -o lo -j ACCEPT >>>> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>>> + iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>>> >>>> # Filter all packets with loopback addresses on non-loopback interfaces. >>>> iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >>>> -- >>>> 2.26.1 >>> >> ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-05-20 12:47 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-05-13 20:21 [PATCH] firewall: Accept traffic on loopback interface if source and destination are within 127.0.0.0/8 only Peter Müller 2020-05-14 10:36 ` Michael Tremer 2020-05-18 21:03 ` Matthias Fischer 2020-05-19 8:20 ` Michael Tremer 2020-05-19 8:21 ` Michael Tremer 2020-05-19 8:35 ` Matthias Fischer 2020-05-19 13:06 ` Peter Müller 2020-05-19 20:23 ` Matthias Fischer 2020-05-20 12:47 ` Michael Tremer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox