From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] strongSwan: Bring back firewall rules for permitting
 IP-in-IP, ESP and AH traffic
Date: Fri, 20 May 2022 05:45:15 +0000
Message-ID: <33269002-dc89-209f-300b-db1cdc2bf3f4@ipfire.org>
In-Reply-To: <A713D7CF-8F99-48A0-9D6A-2DF45F671766@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3083968349076804473=="
List-Id: <development.lists.ipfire.org>

--===============3083968349076804473==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

yes, I just merged it. We ship strongSwan with this update anyway.

Thanks, and best regards,
Peter M=C3=BCller


> Hello,
>=20
> Yes this looks good to me.
>=20
> Is this going into c168?
>=20
> -Michael
>=20
> Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
>=20
>> On 18 May 2022, at 18:49, Peter M=C3=BCller <peter.mueller(a)ipfire.org> w=
rote:
>>
>> Fixes: #12866
>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>> ---
>> src/patches/strongswan-ipfire.patch | 54 +++++++++++++++++++++--------
>> 1 file changed, 40 insertions(+), 14 deletions(-)
>>
>> diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-=
ipfire.patch
>> index 0f2be7483..d8e35cd52 100644
>> --- a/src/patches/strongswan-ipfire.patch
>> +++ b/src/patches/strongswan-ipfire.patch
>> @@ -1,13 +1,13 @@
>> -commit 654e2b7688c5fbd4e1fc46648bc1864301fb6027
>> -Author: Michael Tremer <michael.tremer(a)ipfire.org>
>> -Date:   Mon Mar 21 19:49:02 2022 +0000
>> +commit b439f74361d393bcb85109b6c41a905cf613a296
>> +Author: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>> +Date:   Wed May 18 17:46:57 2022 +0000
>>
>>     IPFire modifications to _updown script
>>
>> -    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>> +    Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>>
>> diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
>> -index 34eaf68c7..514ecb578 100644
>> +index 34eaf68c7..9ed387a0a 100644
>> --- a/src/_updown/_updown.in
>> +++ b/src/_updown/_updown.in
>> @@ -242,10 +242,10 @@ up-host:iptables)
>> @@ -98,7 +98,7 @@ index 34eaf68c7..514ecb578 100644
>>  	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
>>  	fi
>>  	#
>> -@@ -342,10 +324,10 @@ up-client:iptables)
>> +@@ -342,47 +324,37 @@ up-client:iptables)
>>  	  if [ "$PLUTO_PEER_CLIENT" =3D "$PLUTO_PEER/32" ]
>>  	  then
>>  	    logger -t $TAG -p $FAC_PRIO \
>> @@ -110,8 +110,20 @@ index 34eaf68c7..514ecb578 100644
>> +	      "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT =3D=3D $PLUTO_PEER -- $=
PLUTO_ME =3D=3D $PLUTO_MY_CLIENT"
>>  	  fi
>>  	fi
>> ++
>> ++	# Open Firewall for IPinIP + AH + ESP Traffic
>> ++	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p IPIP \
>> ++		-s $PLUTO_PEER $S_PEER_PORT \
>> ++		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
>> ++	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \
>> ++		-s $PLUTO_PEER $S_PEER_PORT \
>> ++		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
>> ++	iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
>> ++		-s $PLUTO_PEER $S_PEER_PORT \
>> ++		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
>> ++
>>  	;;
>> -@@ -353,36 +335,14 @@ down-client:iptables)
>> + down-client:iptables)
>>  	# connection to client subnet, with (left/right)firewall=3Dyes, going do=
wn
>>  	# This is used only by the default updown script, not by your custom
>>  	# ones, so do not mess with it; see CAUTION comment up at top.
>> @@ -149,7 +161,7 @@ index 34eaf68c7..514ecb578 100644
>>  	      -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
>>  	fi
>>  	#
>> -@@ -392,10 +352,10 @@ down-client:iptables)
>> +@@ -392,12 +364,24 @@ down-client:iptables)
>>  	  if [ "$PLUTO_PEER_CLIENT" =3D "$PLUTO_PEER/32" ]
>>  	  then
>>  	    logger -t $TAG -p $FAC_PRIO -- \
>> @@ -161,8 +173,22 @@ index 34eaf68c7..514ecb578 100644
>> +	      "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT =3D=3D $PLUTO_PEER -- $=
PLUTO_ME =3D=3D $PLUTO_MY_CLIENT"
>>  	  fi
>>  	fi
>> ++
>> ++	# Close Firewall for IPinIP + AH + ESP Traffic
>> ++	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p IPIP \
>> ++		-s $PLUTO_PEER $S_PEER_PORT \
>> ++		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
>> ++	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \
>> ++		-s $PLUTO_PEER $S_PEER_PORT \
>> ++		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
>> ++	iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
>> ++		-s $PLUTO_PEER $S_PEER_PORT \
>> ++		-d $PLUTO_ME $D_MY_PORT -j ACCEPT
>> ++
>>  	;;
>> -@@ -422,10 +382,10 @@ up-host-v6:iptables)
>> + #
>> + # IPv6
>> +@@ -422,10 +406,10 @@ up-host-v6:iptables)
>>  	# connection to me, with (left/right)firewall=3Dyes, coming up
>>  	# This is used only by the default updown script, not by your custom
>>  	# ones, so do not mess with it; see CAUTION comment up at top.
>> @@ -175,7 +201,7 @@ index 34eaf68c7..514ecb578 100644
>>  	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
>>  	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
>>  	#
>> -@@ -454,10 +414,10 @@ down-host-v6:iptables)
>> +@@ -454,10 +438,10 @@ down-host-v6:iptables)
>>  	# connection to me, with (left/right)firewall=3Dyes, going down
>>  	# This is used only by the default updown script, not by your custom
>>  	# ones, so do not mess with it; see CAUTION comment up at top.
>> @@ -188,7 +214,7 @@ index 34eaf68c7..514ecb578 100644
>>  	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
>>  	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
>>  	#
>> -@@ -487,10 +447,10 @@ up-client-v6:iptables)
>> +@@ -487,10 +471,10 @@ up-client-v6:iptables)
>>  	# ones, so do not mess with it; see CAUTION comment up at top.
>>  	if [ "$PLUTO_PEER_CLIENT" !=3D "$PLUTO_MY_SOURCEIP/128" ]
>>  	then
>> @@ -201,7 +227,7 @@ index 34eaf68c7..514ecb578 100644
>>  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
>>  	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
>>  	fi
>> -@@ -499,10 +459,10 @@ up-client-v6:iptables)
>> +@@ -499,10 +483,10 @@ up-client-v6:iptables)
>>  	# or sometimes host access via the internal IP is needed
>>  	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
>>  	then
>> @@ -214,7 +240,7 @@ index 34eaf68c7..514ecb578 100644
>>  	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
>>  	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
>>  	fi
>> -@@ -535,11 +495,11 @@ down-client-v6:iptables)
>> +@@ -535,11 +519,11 @@ down-client-v6:iptables)
>>  	# ones, so do not mess with it; see CAUTION comment up at top.
>>  	if [ "$PLUTO_PEER_CLIENT" !=3D "$PLUTO_MY_SOURCEIP/128" ]
>>  	then
>> @@ -228,7 +254,7 @@ index 34eaf68c7..514ecb578 100644
>>  	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
>>  	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
>>  	         $IPSEC_POLICY_IN -j ACCEPT
>> -@@ -549,11 +509,11 @@ down-client-v6:iptables)
>> +@@ -549,11 +533,11 @@ down-client-v6:iptables)
>>  	# or sometimes host access via the internal IP is needed
>>  	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
>>  	then
>> --=20
>> 2.35.3
>=20

--===============3083968349076804473==--