From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] location-functions.pl: Recognise XD / LOC_NETWORK_FLAG_DROP
Date: Fri, 15 Oct 2021 11:16:26 +0200
Message-ID: <2f53321a-079f-7371-7a36-3ee9961c5221@ipfire.org>
In-Reply-To: <2AA9AF20-B04A-4D64-82B2-ADF8ED39408F@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0299969550270808677=="
List-Id: <development.lists.ipfire.org>

--===============0299969550270808677==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

> Hello,
>=20
>> On 13 Oct 2021, at 17:21, Peter M=C3=BCller <peter.mueller(a)ipfire.org> w=
rote:
>>
>> Hello Michael,
>>
>> thanks for your reply.
>>
>>> Thank you.
>>>
>>> Do we want to make this is a more convenient option somewhere in the UI i=
n the future?
>>
>> Yes. My imagination of bug #12031 is to have three new checkboxes on the f=
irewall options CGI
>> to drop all traffic from and to
>> (a) IP networks not being globally routable ("martians")
>=20
> Okay. I like this, but in existing setups this will break a lot.

It depends. Perhaps it might be a good idea to split this feature up:

Martians belonging to networks used by IPFire (GREEN, BLUE, ORANGE, etc.), ye=
t arriving
on different interfaces, are spoofing attempts. Dropping these should cause r=
elatively little
harm, unless users run completely crappy setups.

Martians on RED are different, and I would hesitate from enabling this by def=
ault on new
installations, since it causes trouble if IPFire is used for internal segment=
ation (which
I guess we have a lot of installations in companies) or behind existing route=
rs, or ISPs
doing things like DS-lite.

What do you think of this proposal?

> I have no idea what to expect from this being a default on new setups.
>=20
>> (b) publicly routable yet unallocated IP networks ("bogons")
>=20
> I don=E2=80=99t think this would break much and I would be interested to ha=
ve statistics on this since we would not expect many firewall hits.

Since the location database is updated weekly by default, very new BGP announ=
cements will
probably cause hits here. On the other hand, network operators usually do not=
 set up their
AS and expect to gain a lot of traffic an hour after.

> People who will have issues with this will likely have broken their locatio=
n database that it won=E2=80=99t update any more.
>=20
>> (c) and IP networks having the LOC_NETWORK_FLAG_DROP flag set
>> on the RED interface.
>=20
> Mentally I am putting this into the same category as bogons (=E2=80=9CI am =
never going to communicate to this network=E2=80=9D).

I can relate to that, but still would make a difference here, in case people =
do not want
their internet access to be filtered by an opinionated source. So, a dedicate=
d switch for
this makes sense to me.

> I believe this won=E2=80=99t break anything either.

Me neither.

>=20
>> I think it is wise to split this up, since some people might need (a), but=
 not (b) - Arne
>> told me yesterday some mobile ISPs use public IP space internally -, and m=
ight not want
>> to enable (c) for whatever reason. One size never fits all.
>=20
>> (a) is something we (I) can implement straight away. As soon as this patch=
 has been merged,
>=20
>=20
> (a) will need a lot of exceptions:
>=20
> * Networks that are locally connected (GREEN, BLUE, ORANGE, RED)

But only on their respective interface, right? GREEN traffic should not appea=
r on BLUE.

> * All VPNs (OpenVPN, IPsec, H2N and N2N)
> * All static routes
> * Maybe some SNAT/DNAT rules?
>=20
> These will have to be auto-generated and not bother the admins.

ACK.

> Maybe it would be better to solve this in another way than using iptables.

You are thinking about routing here, aren't you? I like it, but we would have=
 no logging
possibility then, which makes troubleshooting tedious.

> (b) If ISPs use unallocated address space they are on their own. I am sorry=
. Just stupid. But of course we can add exemptions.
>=20
>> (c) is no longer an issue, too. (b) is currently blocked due to bug #12691.
>=20
> We could generally work on this and only release it after #12691 is fixed. =
It is not a blocker for development. Just for release.

ACK.

Thanks, and best regards,
Peter M=C3=BCller

>=20
>> And of course there will be a blog article about this. \o/
>=20
> Let=E2=80=99s get this on the list first and then think about that.
>=20
> -Michael
>=20
>> Thanks, and best regards,
>> Peter M=C3=BCller
>>
>>>
>>> -Michael
>>>
>>> Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>
>>>> On 10 Oct 2021, at 18:13, Peter M=C3=BCller <peter.mueller(a)ipfire.org>=
 wrote:
>>>>
>>>> This enables creating firewall rules using the special country code "XD"
>>>> for hostile networks safe to drop and ipinfo.cgi to display a meaningful
>>>> text for IP addresses having this flag set.
>>>>
>>>> At the moment, the "LOC_NETWORK_FLAG_DROP" is not yet populated, but
>>>> will be in the future (as soon as libloc 0.9.9 is released and running
>>>> in production).
>>>>
>>>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>>>> ---
>>>> config/cfgroot/location-functions.pl | 6 ++++--
>>>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/locat=
ion-functions.pl
>>>> index fb97eb589..4d44ce24d 100644
>>>> --- a/config/cfgroot/location-functions.pl
>>>> +++ b/config/cfgroot/location-functions.pl
>>>> @@ -2,7 +2,7 @@
>>>> ########################################################################=
#######
>>>> #                                                                       =
      #
>>>> # IPFire.org - A linux based firewall                                   =
      #
>>>> -# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>            =
         #
>>>> +# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>            =
         #
>>>> #                                                                       =
      #
>>>> # This program is free software: you can redistribute it and/or modify  =
      #
>>>> # it under the terms of the GNU General Public License as published by  =
      #
>>>> @@ -29,6 +29,7 @@ my %not_iso_3166_location =3D (
>>>> 	"A1" =3D> "Anonymous Proxy",
>>>> 	"A2" =3D> "Satellite Provider",
>>>> 	"A3" =3D> "Worldwide Anycast Instance",
>>>> +	"XD" =3D> "Hostile networks safe to drop",
>>>> );
>>>>
>>>> # Hash which contains possible network flags and their mapped location c=
odes.
>>>> @@ -36,10 +37,11 @@ my %network_flags =3D (
>>>> 	"LOC_NETWORK_FLAG_ANONYMOUS_PROXY" =3D> "A1",
>>>> 	"LOC_NETWORK_FLAG_SATELLITE_PROVIDER" =3D> "A2",
>>>> 	"LOC_NETWORK_FLAG_ANYCAST" =3D> "A3",
>>>> +	"LOC_NETWORK_FLAG_DROP" =3D> "XD",
>>>> );
>>>>
>>>> # Array which contains special country codes.
>>>> -my @special_locations =3D ( "A1", "A2", "A3" );
>>>> +my @special_locations =3D ( "A1", "A2", "A3", "XD" );
>>>>
>>>> # Directory where the libloc database and keyfile lives.
>>>> our $location_dir =3D "/var/lib/location/";
>>>> --=20
>>>> 2.26.2
>>>
>=20

--===============0299969550270808677==--