From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: [PATCH 00/11] firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection Date: Sat, 18 Dec 2021 14:46:56 +0100 Message-ID: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0987550891238095444==" List-Id: --===============0987550891238095444== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This patchset improves IPFire's firewall engine by... (a) improved logging of spoofed packets and martians (b) prevention of spoofing attempts on RED's interface IP address (c) dropping traffic from and to networks known to pose a technical threat to IPFire users (see https://git.ipfire.org/?p=3Dlocation/libloc.git;a=3Dcom= mit;h=3D69b3d894fbee6e94afc2a79593f7f6b300b88c10 for details) by default on new installations, doing so in a dedicated, ea= sy to configure IPtables chain. Sadly, a decent fraction of our userbase does not bother creating any fir= ewall rules at all, so any outbound traffic is allowed on their networks. There= fore, preventing them from reaching the "baddest of the bad" makes sense for a = basic detection of their devices and networks. Any sane IPS configuration would already cover the networks in question, = so most IPFire machines running a decent IPS policy will already drop the of= fending traffic, albeit in a rather costly way. Please note this patchset needs additional commits for the Core Update it is intended to go to, such as shipping the changed files, and adding sane defaul= ts to existing installations in /var/ipfire/optionsfw/settings. See also: #12031 Peter M=C3=BCller (11): firewall: Log packets dropped due to conntrack INVALID state firewall: Accept inbound Tor traffic before applying the location filter firewall: Log and drop spoofed loopback packets firewall: Prevent spoofing our own RED IP address firewall: Introduce DROP_HOSTILE optionsfw.cgi: Make logging of spoofed/martians packets and the DROP_HOSTILE filter configurable Update German and English translation files collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN} graphs.pl: Display spoofed and hostile traffic in firewall hits diagram as well configroot: Enable logging of spoofed packets/martians by default configroot: Drop traffic from and to hostile networks by default config/cfgroot/graphs.pl | 22 ++++++-- config/collectd/collectd.conf | 2 + html/cgi-bin/optionsfw.cgi | 96 +++++++++++++++++++++++++++------ langs/de/cgi-bin/de.pl | 9 +++- langs/en/cgi-bin/en.pl | 7 ++- lfs/configroot | 4 +- src/initscripts/system/firewall | 63 +++++++++++++++++----- 7 files changed, 166 insertions(+), 37 deletions(-) --=20 2.26.2 --===============0987550891238095444==--