[PATCH 00/11] firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection

[PATCH 00/11] firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2422 bytes --]

This patchset improves IPFire's firewall engine by...

(a) improved logging of spoofed packets and martians

(b) prevention of spoofing attempts on RED's interface IP address

(c) dropping traffic from and to networks known to pose a technical threat to
    IPFire users (see https://git.ipfire.org/?p=location/libloc.git;a=commit;h=69b3d894fbee6e94afc2a79593f7f6b300b88c10
    for details) by default on new installations, doing so in a dedicated, easy
    to configure IPtables chain.
    Sadly, a decent fraction of our userbase does not bother creating any firewall
    rules at all, so any outbound traffic is allowed on their networks. Therefore,
    preventing them from reaching the "baddest of the bad" makes sense for a basic
    detection of their devices and networks.
    Any sane IPS configuration would already cover the networks in question, so
    most IPFire machines running a decent IPS policy will already drop the offending
    traffic, albeit in a rather costly way.

Please note this patchset needs additional commits for the Core Update it is
intended to go to, such as shipping the changed files, and adding sane defaults
to existing installations in /var/ipfire/optionsfw/settings.

See also: #12031

Peter Müller (11):
  firewall: Log packets dropped due to conntrack INVALID state
  firewall: Accept inbound Tor traffic before applying the location
    filter
  firewall: Log and drop spoofed loopback packets
  firewall: Prevent spoofing our own RED IP address
  firewall: Introduce DROP_HOSTILE
  optionsfw.cgi: Make logging of spoofed/martians packets and the
    DROP_HOSTILE filter configurable
  Update German and English translation files
  collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN}
  graphs.pl: Display spoofed and hostile traffic in firewall hits
    diagram as well
  configroot: Enable logging of spoofed packets/martians by default
  configroot: Drop traffic from and to hostile networks by default

 config/cfgroot/graphs.pl        | 22 ++++++--
 config/collectd/collectd.conf   |  2 +
 html/cgi-bin/optionsfw.cgi      | 96 +++++++++++++++++++++++++++------
 langs/de/cgi-bin/de.pl          |  9 +++-
 langs/en/cgi-bin/en.pl          |  7 ++-
 lfs/configroot                  |  4 +-
 src/initscripts/system/firewall | 63 +++++++++++++++++-----
 7 files changed, 166 insertions(+), 37 deletions(-)

-- 
2.26.2

[PATCH 01/11] firewall: Log packets dropped due to conntrack INVALID state

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1516 bytes --]

In case of faulty connection tracking, this ensures such packets are
logged, to make analysing network incidents less troublesome. Since
NewNotSYN is handled before, where logging can be turned off for systems
running on weak flash devices, the amount of log messages emitted here
should be neglectible.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 src/initscripts/system/firewall | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 75ea8abdf..49c6b7bf9 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -110,7 +110,7 @@ iptables_init() {
 	# Connection tracking chains
 	iptables -N CONNTRACK
 	iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
-	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
+	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
 	iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
 
 	# Restore any connection marks
@@ -136,7 +136,7 @@ iptables_init() {
 	iptables -A INPUT -j P2PBLOCK
 	iptables -A FORWARD -j P2PBLOCK
 	iptables -A OUTPUT -j P2PBLOCK
-	
+
 	# IPS (Guardian) chains
 	iptables -N GUARDIAN
 	iptables -A INPUT -j GUARDIAN
@@ -265,7 +265,7 @@ iptables_init() {
 	iptables -A INPUT -j TOR_INPUT
 	iptables -N TOR_OUTPUT
 	iptables -A OUTPUT -j TOR_OUTPUT
-	
+
 	# Jump into the actual firewall ruleset.
 	iptables -N INPUTFW
 	iptables -A INPUT -j INPUTFW
-- 
2.26.2

[PATCH 02/11] firewall: Accept inbound Tor traffic before applying the location filter

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1419 bytes --]

Inbound Tor traffic conflicts with Location block as inbound connections
have to be accepted from many parts of the world. To solve this,
inbound Tor traffic has to be accepted before jumping into Location block
chain.

Note this affects Tor relay operators only.

Rolled forward as ongoing from
https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90(a)ipfire.org/,
note the documentation in the wiki needs to be updated once this landed
in production.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 src/initscripts/system/firewall | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 49c6b7bf9..cc5baa292 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -227,6 +227,10 @@ iptables_init() {
 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
 	fi
 
+	# Tor (inbound)
+	iptables -N TOR_INPUT
+	iptables -A INPUT -j TOR_INPUT
+
 	# Location Block
 	iptables -N LOCATIONBLOCK
 	iptables -A INPUT -j LOCATIONBLOCK
@@ -260,9 +264,7 @@ iptables_init() {
 	iptables -N OVPNINPUT
 	iptables -A INPUT -j OVPNINPUT
 
-	# Tor (inbound and outbound)
-	iptables -N TOR_INPUT
-	iptables -A INPUT -j TOR_INPUT
+	# Tor (outbound)
 	iptables -N TOR_OUTPUT
 	iptables -A OUTPUT -j TOR_OUTPUT
 
-- 
2.26.2

[PATCH 03/11] firewall: Log and drop spoofed loopback packets

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2365 bytes --]

Traffic from and to 127.0.0.0/8 must only appear on the loopback
interface, never on any other interface. This ensures offending packets
are logged, and the loopback interface cannot be abused for processing
traffic from and to any other networks.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 src/initscripts/system/firewall | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index cc5baa292..1c62c6e2c 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -80,6 +80,14 @@ iptables_init() {
 	fi
 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
 
+	# Log and subsequently drop spoofed packets or "martians", arriving from sources
+	# on interfaces where we don't expect them
+	iptables -N SPOOFED_MARTIAN
+	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
+		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
+	fi
+	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
+
 	# Chain to contain all the rules relating to bad TCP flags
 	iptables -N BADTCP
 
@@ -177,14 +185,18 @@ iptables_init() {
 	iptables -A INPUT -j ICMPINPUT
 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
 
-	# Accept everything on loopback
+	# Accept everything on loopback if source/destination is loopback space...
 	iptables -N LOOPBACK
-	iptables -A LOOPBACK -i lo -j ACCEPT
-	iptables -A LOOPBACK -o lo -j ACCEPT
+	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
+	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
+
+	# ... and drop everything else on the loopback interface, since no other traffic should appear there
+	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
+	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
 
-	# Filter all packets with loopback addresses on non-loopback interfaces.
-	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
-	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
+	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
+	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
+	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
 
 	for i in INPUT FORWARD OUTPUT; do
 		iptables -A ${i} -j LOOPBACK
-- 
2.26.2

[PATCH 04/11] firewall: Prevent spoofing our own RED IP address

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1204 bytes --]

There is no legitimate reason why traffic from our own IP address on RED
should ever appear incoming on that interface.

This prevents attackers from impersonating IPFire itself, and is only
cleared/reset if the RED interface is brought up. Therefore, an attacker
cannot bypass this by foring a dial-up or DHCP connection to break down.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 src/initscripts/system/firewall | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 1c62c6e2c..9e62c0245 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -374,6 +374,17 @@ iptables_red_up() {
 	iptables -F REDFORWARD
 	iptables -t nat -F REDNAT
 
+	# Prohibit spoofing our own IP address on RED
+	if [ -f /var/ipfire/red/active ]; then
+		REDIP="$( cat /var/ipfire/red/local-ipaddress )";
+
+		if [ "$IFACE" != "" ]; then
+			iptables -A REDINPUT -s $REDIP -i $IFACE -j SPOOFED_MARTIAN
+		elif [ "$DEVICE" != "" ]; then
+			iptables -A REDINPUT -s $REDIP -i $DEVICE -j SPOOFED_MARTIAN
+		fi
+	fi
+
 	# PPPoE / PPTP Device
 	if [ "$IFACE" != "" ]; then
 		# PPPoE / PPTP
-- 
2.26.2

[PATCH 05/11] firewall: Introduce DROP_HOSTILE

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1627 bytes --]

Similar to the Location block, this chain logs and drops all traffic
from and to networks known to pose technical threats to IPFire users.

Doing so in a dedicated chain makes sense for transparency reasons, as
we won't interfer with other firewall rules or the Location block, so it
is always clear why a packet from or to such a network has been dropped.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 src/initscripts/system/firewall | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 9e62c0245..ebc8168ae 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -139,6 +139,20 @@ iptables_init() {
 	iptables -t nat -N CUSTOMPOSTROUTING
 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
 
+	# Log and drop any traffic from and to networks known as being hostile, posing
+	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
+	if [ "$DROPHOSTILE" == "on" ]; then
+		iptables -N DROP_HOSTILE
+		iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
+
+		iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+		iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+		iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
+		iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+
+		iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
+	fi
+
 	# P2PBLOCK
 	iptables -N P2PBLOCK
 	iptables -A INPUT -j P2PBLOCK
-- 
2.26.2

[PATCH 06/11] optionsfw.cgi: Make logging of spoofed/martians packets and the DROP_HOSTILE filter configurable

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 7965 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 html/cgi-bin/optionsfw.cgi | 96 +++++++++++++++++++++++++++++++-------
 1 file changed, 80 insertions(+), 16 deletions(-)

diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index 1ecf4f180..481d5bdbd 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2014-2020  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2014-2021  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -110,6 +110,12 @@ $checked{'DROPWIRELESSINPUT'}{$settings{'DROPWIRELESSINPUT'}} = "checked='checke
 $checked{'DROPWIRELESSFORWARD'}{'off'} = '';
 $checked{'DROPWIRELESSFORWARD'}{'on'} = '';
 $checked{'DROPWIRELESSFORWARD'}{$settings{'DROPWIRELESSFORWARD'}} = "checked='checked'";
+$checked{'DROPSPOOFEDMARTIAN'}{'off'} = '';
+$checked{'DROPSPOOFEDMARTIAN'}{'on'} = '';
+$checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='checked'";
+$checked{'DROPHOSTILE'}{'off'} = '';
+$checked{'DROPHOSTILE'}{'on'} = '';
+$checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
 $checked{'DROPPROXY'}{'off'} = '';
 $checked{'DROPPROXY'}{'on'} = '';
 $checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'";
@@ -195,24 +201,82 @@ END
 	<br>
 
 <table width='95%' cellspacing='0'>
-<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
-																						<input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
-																						<input type='radio' name='DROPINPUT' value='off' $checked{'DROPINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop forward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPFORWARD' value='on' $checked{'DROPFORWARD'}{'on'} />/
-																						<input type='radio' name='DROPFORWARD' value='off' $checked{'DROPFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop outgoing'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPOUTGOING' value='on' $checked{'DROPOUTGOING'}{'on'} />/
-																						<input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
-																						<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
-																						<input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
-																						<input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
+	<tr bgcolor='$color{'color20'}'>
+		<td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/
+			<input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'drop input'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/
+			<input type='radio' name='DROPINPUT' value='off' $checked{'DROPINPUT'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'drop forward'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='DROPFORWARD' value='on' $checked{'DROPFORWARD'}{'on'} />/
+			<input type='radio' name='DROPFORWARD' value='off' $checked{'DROPFORWARD'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'drop outgoing'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='DROPOUTGOING' value='on' $checked{'DROPOUTGOING'}{'on'} />/
+			<input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'drop portscan'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
+			<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
+			<input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
+			<input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'drop spoofed martians'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='DROPSPOOFEDMARTIAN' value='on' $checked{'DROPSPOOFEDMARTIAN'}{'on'} />/
+			<input type='radio' name='DROPSPOOFEDMARTIAN' value='off' $checked{'DROPSPOOFEDMARTIAN'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
 </table>
 <br/>
 
+<table width='95%' cellspacing='0'>
+	<tr bgcolor='$color{'color20'}'>
+		<td colspan='2' align='left'><b>$Lang::tr{'fw red'}</b></td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'drop hostile'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='DROPHOSTILE' value='on' $checked{'DROPHOSTILE'}{'on'} />/
+			<input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+</table>
+<br>
+
 <table width='95%' cellspacing='0'>
 <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
 <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
-- 
2.26.2

[PATCH 07/11] Update German and English translation files

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 5720 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 langs/de/cgi-bin/de.pl | 9 +++++++--
 langs/en/cgi-bin/en.pl | 7 ++++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index c81b28fea..50829fc92 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1,4 +1,4 @@
-%tr = ( 
+%tr = (
 %tr,
 
 '24 hours' => '24 Stunden',
@@ -909,12 +909,14 @@
 'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"',
 'drop action2' => 'Standardverhalten der (Input) Firewall',
 'drop forward' => 'Verworfene, von der Firewall weitergeleitete Pakete protokollieren',
+'drop hostile' => 'Pakete von und zu bösartigen Netzen (Spamhaus DROP-Listing, etc.) verwerfen',
 'drop input' => 'Verworfene eingehende Pakete protokollieren',
 'drop newnotsyn' => 'Verworfene neue Pakete ohne SYN-Markierung protokollieren (NewNotSYN)',
 'drop outgoing' => 'Verworfene, von der Firewall ausgehende Pakete protokollieren',
 'drop portscan' => 'Verworfene Portscan Pakete protokollieren',
 'drop proxy' => 'Alle Pakete verwerfen, die nicht direkt an den Proxy gerichtet sind',
 'drop samba' => 'Alle Pakete an Microsoftdienste verwerfen (Ports 135, 137, 138, 139, 445 und 1025)',
+'drop spoofed martians' => 'Verworfene gefälschte Pakete und Marsianer protokollieren',
 'drop wirelessforward' => 'Verworfene weitergeleitete Wireless-Pakete protokollieren',
 'drop wirelessinput' => 'Verworfene eingehende Wireless-Pakete protokollieren',
 'dst port' => 'Zielport',
@@ -1106,7 +1108,7 @@
 'from email server' => 'Von E-Mail-Server',
 'from email user' => 'Von E-Mail-Benutzer',
 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
-'fw blue' => 'Firewalloptionen für das Blaue Interface',
+'fw blue' => 'Firewalloptionen für das blaue Interface',
 'fw default drop' => 'Firewallrichtlinie',
 'fw logging' => 'Firewallprotokollierung',
 'fw settings' => 'Firewalleinstellungen',
@@ -1114,6 +1116,7 @@
 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
 'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen',
 'fw settings ruletable' => 'Leere Regeltabellen anzeigen',
+'fw red' => 'Firewalloptionen für das rote Interface',
 'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)',
 'fwdfw DROP' => 'Verwerfen (DROP)',
 'fwdfw MODE1' => 'Alle Pakete verwerfen',
@@ -1355,6 +1358,7 @@
 'host deny' => 'Liste der nicht Zugriffsberechtigten',
 'host ip' => 'Host IP-Adresse',
 'host to net vpn' => 'Host-zu-Netz Virtual Private Network (RoadWarrior)',
+'hostile networks' => 'Bösartige Netze',
 'hostname' => 'Hostname',
 'hostname and domain already in use' => 'Hostname und Domain werden bereits benutzt.',
 'hostname cant be empty' => 'Hostname darf nicht leer bleiben.',
@@ -2268,6 +2272,7 @@
 'spectre variant 1' => 'Spectre-Variante 1',
 'spectre variant 2' => 'Spectre-Variante 2',
 'spectre variant 4' => 'Spectre-Variante 4',
+'spoofed or martians' => 'Gefälscht/Marsianer',
 'squid extension methods' => 'Ihre <tt>extension_methods</tt> Liste',
 'squid extension methods invalid' => 'Ihre  \'extension_methods\' Liste darf nur Worte aus Großbuchstaben und Ziffer enthalten, die mittels eines Leerzeichens getrennt werden.',
 'squid fix cache' => 'Zwischenspeicher reparieren',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index a92bb07f8..74955d20e 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1,4 +1,4 @@
-%tr = ( 
+%tr = (
 %tr,
 
 '24 hours' => '24 Hours',
@@ -934,12 +934,14 @@
 'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"',
 'drop action2' => 'Default behaviour of (input) firewall',
 'drop forward' => 'Log dropped forward packets',
+'drop hostile' => 'Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.)',
 'drop input' => 'Log dropped input packets',
 'drop newnotsyn' => 'Log dropped new not SYN packets',
 'drop outgoing' => 'Log dropped outgoing packets',
 'drop portscan' => 'Log dropped portscan packets',
 'drop proxy' => 'Drop all packets not addressed to proxy',
 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025',
+'drop spoofed martians' => 'Log dropped spoofed packets and marsians',
 'drop wirelessforward' => 'Log dropped wireless forward packets',
 'drop wirelessinput' => 'Log dropped wireless input packets',
 'dst port' => 'Dst Port',
@@ -1141,6 +1143,7 @@
 'fw settings dropdown' => 'Show all networks on rulecreation site',
 'fw settings remark' => 'Show remarks in ruletable',
 'fw settings ruletable' => 'Show empty ruletables',
+'fw red' => 'Firewall options for RED interface',
 'fwdfw ACCEPT' => 'ACCEPT',
 'fwdfw DROP' => 'DROP',
 'fwdfw MODE1' => 'Drop all packets',
@@ -1384,6 +1387,7 @@
 'host deny' => 'list with denied hosts',
 'host ip' => 'Host IP address',
 'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)',
+'hostile networks' => 'Hostile networks',
 'hostname' => 'Hostname',
 'hostname and domain already in use' => 'Hostname and domain already in use.',
 'hostname cant be empty' => 'Hostname cannot be empty.',
@@ -2309,6 +2313,7 @@
 'spectre variant 1' => 'Spectre Variant 1',
 'spectre variant 2' => 'Spectre Variant 2',
 'spectre variant 4' => 'Spectre Variant 4',
+'spoofed or martians' => 'Spoofed/Martians',
 'squid extension methods' => 'Your <tt>extension_methods</tt> list',
 'squid extension methods invalid' => 'Your \'extension_methods\' list can only contain uppercase words of letters and digits, separated with a space. ',
 'squid fix cache' => 'Repair cache',
-- 
2.26.2

[PATCH 08/11] collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN}

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 607 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/collectd/collectd.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf
index 941c631c9..b80e3b785 100644
--- a/config/collectd/collectd.conf
+++ b/config/collectd/collectd.conf
@@ -51,6 +51,8 @@ include "/etc/collectd.precache"
 	Chain filter POLICYFWD DROP_FORWARD
 	Chain filter POLICYOUT DROP_OUTPUT
 	Chain filter POLICYIN DROP_INPUT
+	Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN
+	Chain filter HOSTILE DROP_HOSTILE
 </Plugin>
 
 #<Plugin logfile>
-- 
2.26.2

[PATCH 09/11] graphs.pl: Display spoofed and hostile traffic in firewall hits diagram as well

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3856 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/cfgroot/graphs.pl | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl
index 02341eb45..b964f1e80 100644
--- a/config/cfgroot/graphs.pl
+++ b/config/cfgroot/graphs.pl
@@ -3,7 +3,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2005-2010  IPFire Team                                        #
+# Copyright (C) 2005-2021  IPFire Team                                        #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -106,7 +106,7 @@ foreach (@sensorsdir){
 
 sub makegraphbox {
 	my ($origin, $name, $default_range) = @_;
-	
+
 	# Optional time range: Default to "day" unless otherwise specified
 	$default_range = "day" unless ($default_range ~~ @time_ranges);
 
@@ -154,7 +154,7 @@ sub updatecpugraph {
 		"COMMENT:".sprintf("%15s",$Lang::tr{'minimal'}),
 		"COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j"
 	);
-	
+
 	my $nice = "CDEF:nice=";
 	my $interrupt = "CDEF:interrupt=";
 	my $steal = "CDEF:steal=";
@@ -164,7 +164,7 @@ sub updatecpugraph {
 	my $iowait = "CDEF:iowait=";
 	my $irq = "CDEF:irq=";
 	my $addstring = "";
-	
+
 	for(my $i = 0; $i < $cpucount; $i++) {
 		push(@command,"DEF:iowait".$i."=".$mainsettings{'RRDLOG'}."/collectd/localhost/cpu-".$i."/cpu-wait.rrd:value:AVERAGE"
 				,"DEF:nice".$i."=".$mainsettings{'RRDLOG'}."/collectd/localhost/cpu-".$i."/cpu-nice.rrd:value:AVERAGE"
@@ -184,7 +184,7 @@ sub updatecpugraph {
 		$iowait .= "iowait".$i.",";
 		$irq .= "irq".$i.",";
 	}
-	
+
 	for(my $i = 2; $i < $cpucount; $i++) {
 		$addstring .= "ADDNAN,";
 	}
@@ -692,6 +692,8 @@ sub updatefwhitsgraph {
 		"DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE",
 		"DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE",
 		"DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE",
+		"DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE",
+		"DEF:hostile=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
 		"COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}),
 		"COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}),
 		"COMMENT:".sprintf("%15s",$Lang::tr{'average'}),
@@ -722,6 +724,16 @@ sub updatefwhitsgraph {
 		"GPRINT:portscan:AVERAGE:%8.1lf %sBps",
 		"GPRINT:portscan:MIN:%8.1lf %sBps",
 		"GPRINT:portscan:LAST:%8.1lf %sBps\\j",
+		"STACK:spoofedmartian".$color{"color12"}."A0:".sprintf("%-25s",$Lang::tr{'spoofed or martians'}),
+		"GPRINT:spoofedmartian:MAX:%8.1lf %sBps",
+		"GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps",
+		"GPRINT:spoofedmartian:MIN:%8.1lf %sBps",
+		"GPRINT:spoofedmartian:LAST:%8.1lf %sBps\\j",
+		"STACK:hostile".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks'}),
+		"GPRINT:hostile:MAX:%8.1lf %sBps",
+		"GPRINT:hostile:AVERAGE:%8.1lf %sBps",
+		"GPRINT:hostile:MIN:%8.1lf %sBps",
+		"GPRINT:hostile:LAST:%8.1lf %sBps\\j",
 		);
 		$ERROR = RRDs::error;
 		return "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR;
-- 
2.26.2

[PATCH 10/11] configroot: Enable logging of spoofed packets/martians by default

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1271 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 lfs/configroot | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lfs/configroot b/lfs/configroot
index e0156c746..4fa7aba79 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -114,7 +114,7 @@ $(TARGET) :
 	echo  "ENABLED=off"		> $(CONFIG_ROOT)/vpn/settings
 	echo  "01"			> $(CONFIG_ROOT)/certs/serial
 	echo  "nameserver    1.2.3.4"	> $(CONFIG_ROOT)/ppp/fake-resolv.conf
-	echo  "DROPNEWNOTSYN=on"		>> $(CONFIG_ROOT)/optionsfw/settings
+	echo  "DROPNEWNOTSYN=on"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPINPUT=on"		>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPFORWARD=on"		>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "FWPOLICY=DROP"		>> $(CONFIG_ROOT)/optionsfw/settings
@@ -130,6 +130,7 @@ $(TARGET) :
 	echo  "SHOWDROPDOWN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPWIRELESSINPUT=on"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPWIRELESSFORWARD=on"	>> $(CONFIG_ROOT)/optionsfw/settings
+	echo  "DROPSPOOFEDMARTIAN=on"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 	echo  "USE_ISP_NAMESERVERS=on"  >> $(CONFIG_ROOT)/dns/settings
-- 
2.26.2

[PATCH 11/11] configroot: Drop traffic from and to hostile networks by default

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 737 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 lfs/configroot | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lfs/configroot b/lfs/configroot
index 4fa7aba79..56c0c7c8f 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -131,6 +131,7 @@ $(TARGET) :
 	echo  "DROPWIRELESSINPUT=on"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPWIRELESSFORWARD=on"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPSPOOFEDMARTIAN=on"	>> $(CONFIG_ROOT)/optionsfw/settings
+	echo  "DROPHOSTILE=on"		>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 	echo  "USE_ISP_NAMESERVERS=on"  >> $(CONFIG_ROOT)/dns/settings
-- 
2.26.2

Re: [PATCH 00/11] firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2747 bytes --]

Hello,

I would like to make it short since I already said how much I like this on the video call…

Please see my replies to the individual patches.

-Michael

> On 18 Dec 2021, at 13:46, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> This patchset improves IPFire's firewall engine by...
> 
> (a) improved logging of spoofed packets and martians
> 
> (b) prevention of spoofing attempts on RED's interface IP address
> 
> (c) dropping traffic from and to networks known to pose a technical threat to
>    IPFire users (see https://git.ipfire.org/?p=location/libloc.git;a=commit;h=69b3d894fbee6e94afc2a79593f7f6b300b88c10
>    for details) by default on new installations, doing so in a dedicated, easy
>    to configure IPtables chain.
>    Sadly, a decent fraction of our userbase does not bother creating any firewall
>    rules at all, so any outbound traffic is allowed on their networks. Therefore,
>    preventing them from reaching the "baddest of the bad" makes sense for a basic
>    detection of their devices and networks.
>    Any sane IPS configuration would already cover the networks in question, so
>    most IPFire machines running a decent IPS policy will already drop the offending
>    traffic, albeit in a rather costly way.
> 
> Please note this patchset needs additional commits for the Core Update it is
> intended to go to, such as shipping the changed files, and adding sane defaults
> to existing installations in /var/ipfire/optionsfw/settings.
> 
> See also: #12031
> 
> Peter Müller (11):
>  firewall: Log packets dropped due to conntrack INVALID state
>  firewall: Accept inbound Tor traffic before applying the location
>    filter
>  firewall: Log and drop spoofed loopback packets
>  firewall: Prevent spoofing our own RED IP address
>  firewall: Introduce DROP_HOSTILE
>  optionsfw.cgi: Make logging of spoofed/martians packets and the
>    DROP_HOSTILE filter configurable
>  Update German and English translation files
>  collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN}
>  graphs.pl: Display spoofed and hostile traffic in firewall hits
>    diagram as well
>  configroot: Enable logging of spoofed packets/martians by default
>  configroot: Drop traffic from and to hostile networks by default
> 
> config/cfgroot/graphs.pl        | 22 ++++++--
> config/collectd/collectd.conf   |  2 +
> html/cgi-bin/optionsfw.cgi      | 96 +++++++++++++++++++++++++++------
> langs/de/cgi-bin/de.pl          |  9 +++-
> langs/en/cgi-bin/en.pl          |  7 ++-
> lfs/configroot                  |  4 +-
> src/initscripts/system/firewall | 63 +++++++++++++++++-----
> 7 files changed, 166 insertions(+), 37 deletions(-)
> 
> -- 
> 2.26.2

Re: [PATCH 02/11] firewall: Accept inbound Tor traffic before applying the location filter

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1759 bytes --]

Hello,

Can we make sure this is well documented somewhere?

Generally we said that the location filter comes first and this will change that behaviour.

Best,
-Michael

> On 18 Dec 2021, at 13:47, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Inbound Tor traffic conflicts with Location block as inbound connections
> have to be accepted from many parts of the world. To solve this,
> inbound Tor traffic has to be accepted before jumping into Location block
> chain.
> 
> Note this affects Tor relay operators only.
> 
> Rolled forward as ongoing from
> https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90(a)ipfire.org/,
> note the documentation in the wiki needs to be updated once this landed
> in production.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 49c6b7bf9..cc5baa292 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -227,6 +227,10 @@ iptables_init() {
> 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
> 	fi
> 
> +	# Tor (inbound)
> +	iptables -N TOR_INPUT
> +	iptables -A INPUT -j TOR_INPUT
> +
> 	# Location Block
> 	iptables -N LOCATIONBLOCK
> 	iptables -A INPUT -j LOCATIONBLOCK
> @@ -260,9 +264,7 @@ iptables_init() {
> 	iptables -N OVPNINPUT
> 	iptables -A INPUT -j OVPNINPUT
> 
> -	# Tor (inbound and outbound)
> -	iptables -N TOR_INPUT
> -	iptables -A INPUT -j TOR_INPUT
> +	# Tor (outbound)
> 	iptables -N TOR_OUTPUT
> 	iptables -A OUTPUT -j TOR_OUTPUT
> 
> -- 
> 2.26.2

Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2740 bytes --]

Hello,

> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Traffic from and to 127.0.0.0/8 must only appear on the loopback
> interface, never on any other interface. This ensures offending packets
> are logged, and the loopback interface cannot be abused for processing
> traffic from and to any other networks.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 24 ++++++++++++++++++------
> 1 file changed, 18 insertions(+), 6 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index cc5baa292..1c62c6e2c 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -80,6 +80,14 @@ iptables_init() {
> 	fi
> 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
> 
> +	# Log and subsequently drop spoofed packets or "martians", arriving from sources
> +	# on interfaces where we don't expect them
> +	iptables -N SPOOFED_MARTIAN
> +	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then

DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?

You will always drop any packets sent to this chain, but you won’t always log them.

Is this what you intended?

> +		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
> +	fi
> +	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
> +
> 	# Chain to contain all the rules relating to bad TCP flags
> 	iptables -N BADTCP
> 
> @@ -177,14 +185,18 @@ iptables_init() {
> 	iptables -A INPUT -j ICMPINPUT
> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
> 
> -	# Accept everything on loopback
> +	# Accept everything on loopback if source/destination is loopback space...
> 	iptables -N LOOPBACK
> -	iptables -A LOOPBACK -i lo -j ACCEPT
> -	iptables -A LOOPBACK -o lo -j ACCEPT
> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
> +	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
> +
> +	# ... and drop everything else on the loopback interface, since no other traffic should appear there
> +	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
> +	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
> 
> -	# Filter all packets with loopback addresses on non-loopback interfaces.
> -	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
> -	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
> +	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
> +	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
> +	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
> 
> 	for i in INPUT FORWARD OUTPUT; do
> 		iptables -A ${i} -j LOOPBACK
> -- 
> 2.26.2

Re: [PATCH 05/11] firewall: Introduce DROP_HOSTILE

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2157 bytes --]

Hello,

I told you that you will need to export the lists before you can load them, but that seems to have been incorrect.

Whenever we download the database, we extract everything:

  https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-location-database;h=06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=HEAD

So this should always work.

-Michael

> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Similar to the Location block, this chain logs and drops all traffic
> from and to networks known to pose technical threats to IPFire users.
> 
> Doing so in a dedicated chain makes sense for transparency reasons, as
> we won't interfer with other firewall rules or the Location block, so it
> is always clear why a packet from or to such a network has been dropped.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 9e62c0245..ebc8168ae 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -139,6 +139,20 @@ iptables_init() {
> 	iptables -t nat -N CUSTOMPOSTROUTING
> 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
> 
> +	# Log and drop any traffic from and to networks known as being hostile, posing
> +	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
> +	if [ "$DROPHOSTILE" == "on" ]; then
> +		iptables -N DROP_HOSTILE
> +		iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
> +
> +		iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
> +		iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
> +		iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
> +		iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
> +
> +		iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
> +	fi
> +
> 	# P2PBLOCK
> 	iptables -N P2PBLOCK
> 	iptables -A INPUT -j P2PBLOCK
> -- 
> 2.26.2

Re: [PATCH 05/11] firewall: Introduce DROP_HOSTILE

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2476 bytes --]

Hello Michael,

thanks for your reply.

This is good to know as I was surprised to see this working on my testing machine without
any further exports/converting/${whatever} of the location database. :-)

Thanks, and best regards,
Peter Müller


> Hello,
> 
> I told you that you will need to export the lists before you can load them, but that seems to have been incorrect.
> 
> Whenever we download the database, we extract everything:
> 
>   https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-location-database;h=06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=HEAD
> 
> So this should always work.
> 
> -Michael
> 
>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Similar to the Location block, this chain logs and drops all traffic
>> from and to networks known to pose technical threats to IPFire users.
>>
>> Doing so in a dedicated chain makes sense for transparency reasons, as
>> we won't interfer with other firewall rules or the Location block, so it
>> is always clear why a packet from or to such a network has been dropped.
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> src/initscripts/system/firewall | 14 ++++++++++++++
>> 1 file changed, 14 insertions(+)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 9e62c0245..ebc8168ae 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -139,6 +139,20 @@ iptables_init() {
>> 	iptables -t nat -N CUSTOMPOSTROUTING
>> 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
>>
>> +	# Log and drop any traffic from and to networks known as being hostile, posing
>> +	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
>> +	if [ "$DROPHOSTILE" == "on" ]; then
>> +		iptables -N DROP_HOSTILE
>> +		iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
>> +
>> +		iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
>> +		iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
>> +		iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
>> +		iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
>> +
>> +		iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
>> +	fi
>> +
>> 	# P2PBLOCK
>> 	iptables -N P2PBLOCK
>> 	iptables -A INPUT -j P2PBLOCK
>> -- 
>> 2.26.2
> 

Re: [PATCH 02/11] firewall: Accept inbound Tor traffic before applying the location filter

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2341 bytes --]

Hello Michael,

thanks for your reply.

Well, there is a diagram at the bottom of https://wiki.ipfire.org/configuration/firewall/iptables,
which will need to be updated. However, it currently still says "GEOIPBLOCK" instead of "LOCATIONBLOCK",
so it's outdated anyway, and I don't know what source it is generated from.

Aside from that, mentioning the change on https://wiki.ipfire.org/configuration/firewall/geoip-block
needs to be done. I can take care of this.

Thanks, and best regards,
Peter Müller


> Hello,
> 
> Can we make sure this is well documented somewhere?
> 
> Generally we said that the location filter comes first and this will change that behaviour.
> 
> Best,
> -Michael
> 
>> On 18 Dec 2021, at 13:47, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Inbound Tor traffic conflicts with Location block as inbound connections
>> have to be accepted from many parts of the world. To solve this,
>> inbound Tor traffic has to be accepted before jumping into Location block
>> chain.
>>
>> Note this affects Tor relay operators only.
>>
>> Rolled forward as ongoing from
>> https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90(a)ipfire.org/,
>> note the documentation in the wiki needs to be updated once this landed
>> in production.
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> src/initscripts/system/firewall | 8 +++++---
>> 1 file changed, 5 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 49c6b7bf9..cc5baa292 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -227,6 +227,10 @@ iptables_init() {
>> 		iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
>> 	fi
>>
>> +	# Tor (inbound)
>> +	iptables -N TOR_INPUT
>> +	iptables -A INPUT -j TOR_INPUT
>> +
>> 	# Location Block
>> 	iptables -N LOCATIONBLOCK
>> 	iptables -A INPUT -j LOCATIONBLOCK
>> @@ -260,9 +264,7 @@ iptables_init() {
>> 	iptables -N OVPNINPUT
>> 	iptables -A INPUT -j OVPNINPUT
>>
>> -	# Tor (inbound and outbound)
>> -	iptables -N TOR_INPUT
>> -	iptables -A INPUT -j TOR_INPUT
>> +	# Tor (outbound)
>> 	iptables -N TOR_OUTPUT
>> 	iptables -A OUTPUT -j TOR_OUTPUT
>>
>> -- 
>> 2.26.2
> 

Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3271 bytes --]

Hello Michael,

> You will always drop any packets sent to this chain, but you won’t always log them.
> 
> Is this what you intended?

yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things
like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such
packets.

Should I update the misleading "DROP*" variables as well to keep things consistent?

Thanks, and best regards,
Peter Müller


> Hello,
> 
>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Traffic from and to 127.0.0.0/8 must only appear on the loopback
>> interface, never on any other interface. This ensures offending packets
>> are logged, and the loopback interface cannot be abused for processing
>> traffic from and to any other networks.
>>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> src/initscripts/system/firewall | 24 ++++++++++++++++++------
>> 1 file changed, 18 insertions(+), 6 deletions(-)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index cc5baa292..1c62c6e2c 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -80,6 +80,14 @@ iptables_init() {
>> 	fi
>> 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
>>
>> +	# Log and subsequently drop spoofed packets or "martians", arriving from sources
>> +	# on interfaces where we don't expect them
>> +	iptables -N SPOOFED_MARTIAN
>> +	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
> 
> DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
> 
> You will always drop any packets sent to this chain, but you won’t always log them.
> 
> Is this what you intended?
> 
>> +		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
>> +	fi
>> +	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
>> +
>> 	# Chain to contain all the rules relating to bad TCP flags
>> 	iptables -N BADTCP
>>
>> @@ -177,14 +185,18 @@ iptables_init() {
>> 	iptables -A INPUT -j ICMPINPUT
>> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>>
>> -	# Accept everything on loopback
>> +	# Accept everything on loopback if source/destination is loopback space...
>> 	iptables -N LOOPBACK
>> -	iptables -A LOOPBACK -i lo -j ACCEPT
>> -	iptables -A LOOPBACK -o lo -j ACCEPT
>> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
>> +	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
>> +
>> +	# ... and drop everything else on the loopback interface, since no other traffic should appear there
>> +	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
>> +	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
>>
>> -	# Filter all packets with loopback addresses on non-loopback interfaces.
>> -	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
>> -	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
>> +	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
>> +	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
>> +	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
>>
>> 	for i in INPUT FORWARD OUTPUT; do
>> 		iptables -A ${i} -j LOOPBACK
>> -- 
>> 2.26.2
> 

Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3542 bytes --]

Hello,

> On 8 Jan 2022, at 11:43, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
>> You will always drop any packets sent to this chain, but you won’t always log them.
>> 
>> Is this what you intended?
> 
> yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things
> like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such
> packets.
> 
> Should I update the misleading "DROP*" variables as well to keep things consistent?

Yes. I would say so. I like things when they are tidy.

-Michael

> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello,
>> 
>>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>> 
>>> Traffic from and to 127.0.0.0/8 must only appear on the loopback
>>> interface, never on any other interface. This ensures offending packets
>>> are logged, and the loopback interface cannot be abused for processing
>>> traffic from and to any other networks.
>>> 
>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>> ---
>>> src/initscripts/system/firewall | 24 ++++++++++++++++++------
>>> 1 file changed, 18 insertions(+), 6 deletions(-)
>>> 
>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>> index cc5baa292..1c62c6e2c 100644
>>> --- a/src/initscripts/system/firewall
>>> +++ b/src/initscripts/system/firewall
>>> @@ -80,6 +80,14 @@ iptables_init() {
>>> 	fi
>>> 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
>>> 
>>> +	# Log and subsequently drop spoofed packets or "martians", arriving from sources
>>> +	# on interfaces where we don't expect them
>>> +	iptables -N SPOOFED_MARTIAN
>>> +	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
>> 
>> DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
>> 
>> You will always drop any packets sent to this chain, but you won’t always log them.
>> 
>> Is this what you intended?
>> 
>>> +		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
>>> +	fi
>>> +	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
>>> +
>>> 	# Chain to contain all the rules relating to bad TCP flags
>>> 	iptables -N BADTCP
>>> 
>>> @@ -177,14 +185,18 @@ iptables_init() {
>>> 	iptables -A INPUT -j ICMPINPUT
>>> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>>> 
>>> -	# Accept everything on loopback
>>> +	# Accept everything on loopback if source/destination is loopback space...
>>> 	iptables -N LOOPBACK
>>> -	iptables -A LOOPBACK -i lo -j ACCEPT
>>> -	iptables -A LOOPBACK -o lo -j ACCEPT
>>> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
>>> +	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
>>> +
>>> +	# ... and drop everything else on the loopback interface, since no other traffic should appear there
>>> +	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
>>> +	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
>>> 
>>> -	# Filter all packets with loopback addresses on non-loopback interfaces.
>>> -	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
>>> -	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
>>> +	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
>>> +	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
>>> +	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
>>> 
>>> 	for i in INPUT FORWARD OUTPUT; do
>>> 		iptables -A ${i} -j LOOPBACK
>>> -- 
>>> 2.26.2
>> 

Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3941 bytes --]

Hello Michael,

thanks for your reply.

Since I already put that patchset into my temporary development branch for Core Update 164,
I will work on a dedicated patch for renaming the variables instead of reverting these and
submit a second version of the patchset.

Thanks, and best regards,
Peter Müller


> Hello,
> 
>> On 8 Jan 2022, at 11:43, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Hello Michael,
>>
>>> You will always drop any packets sent to this chain, but you won’t always log them.
>>>
>>> Is this what you intended?
>>
>> yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things
>> like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such
>> packets.
>>
>> Should I update the misleading "DROP*" variables as well to keep things consistent?
> 
> Yes. I would say so. I like things when they are tidy.
> 
> -Michael
> 
>>
>> Thanks, and best regards,
>> Peter Müller
>>
>>
>>> Hello,
>>>
>>>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>
>>>> Traffic from and to 127.0.0.0/8 must only appear on the loopback
>>>> interface, never on any other interface. This ensures offending packets
>>>> are logged, and the loopback interface cannot be abused for processing
>>>> traffic from and to any other networks.
>>>>
>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>> ---
>>>> src/initscripts/system/firewall | 24 ++++++++++++++++++------
>>>> 1 file changed, 18 insertions(+), 6 deletions(-)
>>>>
>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>>> index cc5baa292..1c62c6e2c 100644
>>>> --- a/src/initscripts/system/firewall
>>>> +++ b/src/initscripts/system/firewall
>>>> @@ -80,6 +80,14 @@ iptables_init() {
>>>> 	fi
>>>> 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
>>>>
>>>> +	# Log and subsequently drop spoofed packets or "martians", arriving from sources
>>>> +	# on interfaces where we don't expect them
>>>> +	iptables -N SPOOFED_MARTIAN
>>>> +	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
>>>
>>> DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
>>>
>>> You will always drop any packets sent to this chain, but you won’t always log them.
>>>
>>> Is this what you intended?
>>>
>>>> +		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
>>>> +	fi
>>>> +	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
>>>> +
>>>> 	# Chain to contain all the rules relating to bad TCP flags
>>>> 	iptables -N BADTCP
>>>>
>>>> @@ -177,14 +185,18 @@ iptables_init() {
>>>> 	iptables -A INPUT -j ICMPINPUT
>>>> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>>>>
>>>> -	# Accept everything on loopback
>>>> +	# Accept everything on loopback if source/destination is loopback space...
>>>> 	iptables -N LOOPBACK
>>>> -	iptables -A LOOPBACK -i lo -j ACCEPT
>>>> -	iptables -A LOOPBACK -o lo -j ACCEPT
>>>> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
>>>> +	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
>>>> +
>>>> +	# ... and drop everything else on the loopback interface, since no other traffic should appear there
>>>> +	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
>>>> +	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
>>>>
>>>> -	# Filter all packets with loopback addresses on non-loopback interfaces.
>>>> -	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
>>>> -	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
>>>> +	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
>>>> +	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
>>>> +	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
>>>>
>>>> 	for i in INPUT FORWARD OUTPUT; do
>>>> 		iptables -A ${i} -j LOOPBACK
>>>> -- 
>>>> 2.26.2
>>>
> 

Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 4211 bytes --]

Agreed.

> On 18 Jan 2022, at 21:22, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your reply.
> 
> Since I already put that patchset into my temporary development branch for Core Update 164,
> I will work on a dedicated patch for renaming the variables instead of reverting these and
> submit a second version of the patchset.

Don’t merge prematurely :)

> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello,
>> 
>>> On 8 Jan 2022, at 11:43, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>> 
>>> Hello Michael,
>>> 
>>>> You will always drop any packets sent to this chain, but you won’t always log them.
>>>> 
>>>> Is this what you intended?
>>> 
>>> yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things
>>> like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such
>>> packets.
>>> 
>>> Should I update the misleading "DROP*" variables as well to keep things consistent?
>> 
>> Yes. I would say so. I like things when they are tidy.
>> 
>> -Michael
>> 
>>> 
>>> Thanks, and best regards,
>>> Peter Müller
>>> 
>>> 
>>>> Hello,
>>>> 
>>>>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>> 
>>>>> Traffic from and to 127.0.0.0/8 must only appear on the loopback
>>>>> interface, never on any other interface. This ensures offending packets
>>>>> are logged, and the loopback interface cannot be abused for processing
>>>>> traffic from and to any other networks.
>>>>> 
>>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>>> ---
>>>>> src/initscripts/system/firewall | 24 ++++++++++++++++++------
>>>>> 1 file changed, 18 insertions(+), 6 deletions(-)
>>>>> 
>>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>>>> index cc5baa292..1c62c6e2c 100644
>>>>> --- a/src/initscripts/system/firewall
>>>>> +++ b/src/initscripts/system/firewall
>>>>> @@ -80,6 +80,14 @@ iptables_init() {
>>>>> 	fi
>>>>> 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
>>>>> 
>>>>> +	# Log and subsequently drop spoofed packets or "martians", arriving from sources
>>>>> +	# on interfaces where we don't expect them
>>>>> +	iptables -N SPOOFED_MARTIAN
>>>>> +	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
>>>> 
>>>> DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
>>>> 
>>>> You will always drop any packets sent to this chain, but you won’t always log them.
>>>> 
>>>> Is this what you intended?
>>>> 
>>>>> +		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
>>>>> +	fi
>>>>> +	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
>>>>> +
>>>>> 	# Chain to contain all the rules relating to bad TCP flags
>>>>> 	iptables -N BADTCP
>>>>> 
>>>>> @@ -177,14 +185,18 @@ iptables_init() {
>>>>> 	iptables -A INPUT -j ICMPINPUT
>>>>> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>>>>> 
>>>>> -	# Accept everything on loopback
>>>>> +	# Accept everything on loopback if source/destination is loopback space...
>>>>> 	iptables -N LOOPBACK
>>>>> -	iptables -A LOOPBACK -i lo -j ACCEPT
>>>>> -	iptables -A LOOPBACK -o lo -j ACCEPT
>>>>> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
>>>>> +	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
>>>>> +
>>>>> +	# ... and drop everything else on the loopback interface, since no other traffic should appear there
>>>>> +	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
>>>>> +	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
>>>>> 
>>>>> -	# Filter all packets with loopback addresses on non-loopback interfaces.
>>>>> -	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
>>>>> -	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
>>>>> +	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
>>>>> +	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
>>>>> +	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
>>>>> 
>>>>> 	for i in INPUT FORWARD OUTPUT; do
>>>>> 		iptables -A ${i} -j LOOPBACK
>>>>> -- 
>>>>> 2.26.2
>>>> 
>>