From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 00/11] firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection
Date: Sat, 18 Dec 2021 14:46:56 +0100 [thread overview]
Message-ID: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2422 bytes --]
This patchset improves IPFire's firewall engine by...
(a) improved logging of spoofed packets and martians
(b) prevention of spoofing attempts on RED's interface IP address
(c) dropping traffic from and to networks known to pose a technical threat to
IPFire users (see https://git.ipfire.org/?p=location/libloc.git;a=commit;h=69b3d894fbee6e94afc2a79593f7f6b300b88c10
for details) by default on new installations, doing so in a dedicated, easy
to configure IPtables chain.
Sadly, a decent fraction of our userbase does not bother creating any firewall
rules at all, so any outbound traffic is allowed on their networks. Therefore,
preventing them from reaching the "baddest of the bad" makes sense for a basic
detection of their devices and networks.
Any sane IPS configuration would already cover the networks in question, so
most IPFire machines running a decent IPS policy will already drop the offending
traffic, albeit in a rather costly way.
Please note this patchset needs additional commits for the Core Update it is
intended to go to, such as shipping the changed files, and adding sane defaults
to existing installations in /var/ipfire/optionsfw/settings.
See also: #12031
Peter Müller (11):
firewall: Log packets dropped due to conntrack INVALID state
firewall: Accept inbound Tor traffic before applying the location
filter
firewall: Log and drop spoofed loopback packets
firewall: Prevent spoofing our own RED IP address
firewall: Introduce DROP_HOSTILE
optionsfw.cgi: Make logging of spoofed/martians packets and the
DROP_HOSTILE filter configurable
Update German and English translation files
collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN}
graphs.pl: Display spoofed and hostile traffic in firewall hits
diagram as well
configroot: Enable logging of spoofed packets/martians by default
configroot: Drop traffic from and to hostile networks by default
config/cfgroot/graphs.pl | 22 ++++++--
config/collectd/collectd.conf | 2 +
html/cgi-bin/optionsfw.cgi | 96 +++++++++++++++++++++++++++------
langs/de/cgi-bin/de.pl | 9 +++-
langs/en/cgi-bin/en.pl | 7 ++-
lfs/configroot | 4 +-
src/initscripts/system/firewall | 63 +++++++++++++++++-----
7 files changed, 166 insertions(+), 37 deletions(-)
--
2.26.2
next reply other threads:[~2021-12-18 13:46 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-18 13:46 Peter Müller [this message]
2021-12-18 13:47 ` [PATCH 01/11] firewall: Log packets dropped due to conntrack INVALID state Peter Müller
2021-12-18 13:47 ` [PATCH 02/11] firewall: Accept inbound Tor traffic before applying the location filter Peter Müller
2022-01-07 16:58 ` Michael Tremer
2022-01-08 11:38 ` Peter Müller
2021-12-18 13:48 ` [PATCH 03/11] firewall: Log and drop spoofed loopback packets Peter Müller
2022-01-07 17:01 ` Michael Tremer
2022-01-08 11:43 ` Peter Müller
2022-01-16 15:14 ` Michael Tremer
2022-01-18 21:22 ` Peter Müller
2022-01-19 8:25 ` Michael Tremer
2021-12-18 13:48 ` [PATCH 04/11] firewall: Prevent spoofing our own RED IP address Peter Müller
2021-12-18 13:48 ` [PATCH 05/11] firewall: Introduce DROP_HOSTILE Peter Müller
2022-01-07 17:04 ` Michael Tremer
2022-01-08 10:39 ` Peter Müller
2021-12-18 13:49 ` [PATCH 06/11] optionsfw.cgi: Make logging of spoofed/martians packets and the DROP_HOSTILE filter configurable Peter Müller
2021-12-18 13:49 ` [PATCH 07/11] Update German and English translation files Peter Müller
2021-12-18 13:49 ` [PATCH 08/11] collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN} Peter Müller
2021-12-18 13:49 ` [PATCH 09/11] graphs.pl: Display spoofed and hostile traffic in firewall hits diagram as well Peter Müller
2021-12-18 13:50 ` [PATCH 10/11] configroot: Enable logging of spoofed packets/martians by default Peter Müller
2021-12-18 13:50 ` [PATCH 11/11] configroot: Drop traffic from and to hostile networks " Peter Müller
2022-01-07 16:57 ` [PATCH 00/11] firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox