From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] firewall/sysctl: Make Reverse Path Forwarding mode configurable Date: Tue, 19 Apr 2022 10:51:57 +0100 Message-ID: <315C91D0-FD75-4F42-995E-7A0B2C81F959@ipfire.org> In-Reply-To: <495b4ca2-5a4b-2ffa-8306-38f152889582@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3790787203181061067==" List-Id: --===============3790787203181061067== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, I do not quite understand the rationale for this switch. Why would the user n= eed to change this? You are talking about asymmetric routing which requires this to be configured= in loose mode. Did you have a setup like this? And if so, I would just recommend to revert the original change that clearly = seems to be incompatible with some installations then. I do no see that this is desirable for the user to control. It is complicated= to understand what is happening here and the benefits are so marginal (if th= ere are any at all) that I don=E2=80=99t think this is worth it. -Michael > On 18 Apr 2022, at 19:27, Peter M=C3=BCller wr= ote: >=20 > For the vast majority of IPFire installations (i. e. those who do not > make use of asymmetric routing), it is safe to run the Linux kernel's > Reverse Path Forwarding in 'strict' mode, as specified in RFC 3704, > section 2.2, significantly hampering spoofing attacks. >=20 > However, we cannot switch to this operating mode globally, since (a) > some IPFire installations cannot use it and (b) we need to avoid a > breaking change on this end. >=20 > Therefore, this patch adds a switch to the firewall options CGI, > permitting users to choose between 'loose' and 'strict' RPF mode, > whereas 'loose' is the current default. On existing installations, this > should be left untouched - although users are urged to check whether > they can switch to the 'strict' mode -; similar to the 'drop hostile' > feature, this should be set to 'strict' by default on new installations. >=20 > Since only a sysctl is changed under the hood, changes do not require a > reboot, but an execution of the /etc/rc.d/init.d/sysctl initscript. The > corresponding misc-prog has been adjusted to reflect this. >=20 > Signed-off-by: Peter M=C3=BCller > --- > html/cgi-bin/optionsfw.cgi | 18 ++++++++++++++++++ > langs/de/cgi-bin/de.pl | 3 +++ > langs/en/cgi-bin/en.pl | 5 ++++- > src/initscripts/system/sysctl | 11 ++++++++++- > src/misc-progs/firewallctrl.c | 1 + > 5 files changed, 36 insertions(+), 2 deletions(-) >=20 > diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi > index fbff67b2f..72a4cddc8 100644 > --- a/html/cgi-bin/optionsfw.cgi > +++ b/html/cgi-bin/optionsfw.cgi > @@ -158,6 +158,9 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_OR= ANGE'}} =3D 'selected=3D"sele > $selected{'MASQUERADE_BLUE'}{'off'} =3D ''; > $selected{'MASQUERADE_BLUE'}{'on'} =3D ''; > $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} =3D 'selected=3D= "selected"'; > +$checked{'RPFORWARDINGMODE'}{'loose'} =3D ''; > +$checked{'RPFORWARDINGMODE'}{'strict'} =3D ''; > +$checked{'RPFORWARDINGMODE'}{$settings{'RPFORWARDINGMODE'}} =3D "checked= =3D'checked'"; >=20 > &Header::openbox('100%', 'center',); > print "
"; > @@ -334,6 +337,21 @@ END > >=20 >
> + > + > + > + > + > + > + > + > + > +
$Lang::tr{'reverse path forwarding'}=
$Lang::tr{'reverse path forwarding mode= '} > + $Lang::tr{'strict'} / > + $Lang::tr{'loose'} > +
> +
> + > >
> > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > index 6094c191a..047d47fe0 100644 > --- a/langs/de/cgi-bin/de.pl > +++ b/langs/de/cgi-bin/de.pl > @@ -1623,6 +1623,7 @@ > 'logging server' =3D> 'Protokollierungsserver', > 'loginlogout' =3D> 'Login/Logout', > 'logs' =3D> 'Protokolldateien', > +'loose' =3D> 'locker', > 'loosedirectorychecking' =3D> 'Loose directorychecking', > 'low' =3D> 'Niedrig', > 'ls_dhcpd' =3D> 'DHCP-Server:', > @@ -2159,6 +2160,8 @@ > 'restore defaults' =3D> 'Voreinstellungen wiederherstellen', > 'restore hardware settings' =3D> 'Hardwareeinstellungen wiederherstellen', > 'restore settings' =3D> 'Einstellungen wiederherstellen', > +'reverse path forwarding' =3D> 'Reverse Path Forwarding', > +'reverse path forwarding mode' =3D> 'Betriebsmodus des Reverse Path Forwar= ding (siehe RFC 3704, Abschnitt 2)', > 'reverse sort' =3D> 'In umgekehrter chronologischer Reihenfolge sortieren', > 'root' =3D> 'Root', > 'root certificate' =3D> 'Root-Zertifikat', > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > index 510ed095b..80d8f7f1a 100644 > --- a/langs/en/cgi-bin/en.pl > +++ b/langs/en/cgi-bin/en.pl > @@ -1671,6 +1671,7 @@ > 'logging server' =3D> 'Logging Server', > 'loginlogout' =3D> 'Login/Logout', > 'logs' =3D> 'logs', > +'loose' =3D> 'loose', > 'loosedirectorychecking' =3D> 'Loosedirectorychecking', > 'low' =3D> 'Low', > 'ls_dhcpd' =3D> 'DHCP Server:', > @@ -2211,6 +2212,8 @@ > 'restore defaults' =3D> 'Restore defaults', > 'restore hardware settings' =3D> 'Restore hardware settings', > 'restore settings' =3D> 'Reset Settings', > +'reverse path forwarding' =3D> 'Reverse Path Forwarding', > +'reverse path forwarding mode' =3D> 'Operating mode of Reverse Path Forwar= ding (see RFC 3704, section 2)', > 'reverse sort' =3D> 'Sort in reverse chronological order', > 'root' =3D> 'Root', > 'root certificate' =3D> 'Root Certificate', > @@ -2394,7 +2397,7 @@ > 'stop' =3D> 'Stop', > 'stop ovpn server' =3D> 'Stop OpenVPN Server', > 'stopped' =3D> 'STOPPED', > -'strict' =3D> 'Strict', > +'strict' =3D> 'strict', > 'subject' =3D> 'Subject', > 'subject test' =3D> 'Teste-mail', > 'subject warn' =3D> 'Warning - warnlevel reached', > diff --git a/src/initscripts/system/sysctl b/src/initscripts/system/sysctl > index 8897c1faa..c7aebbc8d 100644 > --- a/src/initscripts/system/sysctl > +++ b/src/initscripts/system/sysctl > @@ -22,6 +22,8 @@ > . /etc/sysconfig/rc > . ${rc_functions} >=20 > +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > + > case "${1}" in > start) > if [ -f "/etc/sysctl.conf" ]; then > @@ -29,7 +31,7 @@ case "${1}" in > sysctl -q -p > evaluate_retval > fi > - arch=3D`uname -m` > + arch=3D$(uname -m) > case "${arch}" in > armv*) > arch=3D"armv6l": > @@ -40,6 +42,13 @@ case "${1}" in > sysctl -q -p /etc/sysctl-${arch}.conf > evaluate_retval > fi > + > + if [ "$RPFORWARDINGMODE" =3D=3D "strict" ]; then > + boot_mesg "Setting Reverse Path Forwarding mode to 'strict'..." > + sysctl -q -w net.ipv4.conf.all.rp_filter=3D1 > + evaluate_retval > + fi > + > ;; >=20 > status) > diff --git a/src/misc-progs/firewallctrl.c b/src/misc-progs/firewallctrl.c > index 0f176597d..b6756b0b1 100644 > --- a/src/misc-progs/firewallctrl.c > +++ b/src/misc-progs/firewallctrl.c > @@ -13,6 +13,7 @@ int main(int argc, char *argv[]) { > if (!(initsetuid())) > exit(1); >=20 > + safe_system("/etc/rc.d/init.d/sysctl start"); > int retval =3D safe_system("/usr/lib/firewall/rules.pl"); >=20 > /* If rules.pl has been successfully executed, the indicator > --=20 > 2.34.1 --===============3790787203181061067==--