From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] firewall: Revert strict martian check on loopback interface Date: Tue, 15 Feb 2022 12:44:32 +0000 Message-ID: <8C1CBBBF-43F6-4DDB-A114-C1F5288141AB@ipfire.org> In-Reply-To: <30f95031-fa56-600f-990c-bec8992eaa07@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1625665976483378290==" List-Id: --===============1625665976483378290== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, I didn=E2=80=99t foresee this either. It is one of those reasons why networking is hard, because there are so many = shortcuts to keep things simple and fast. > On 14 Feb 2022, at 19:14, Peter M=C3=BCller wr= ote: >=20 > Hello Arne, > hello Michael, > hello *, >=20 > thank you for spotting this. While I cannot explain to myself why I did not= realise > this during my tests, I agree it makes sense to revert that part of the spo= ofed/martian > firewall changes. >=20 > Apologies for the trouble caused. No trouble caused. -Michael >=20 > Reviewed-by: Peter M=C3=BCller >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >=20 >> If the firewall is talking to itself using one of its private IP >> addresses (e.g. the primary green interface IP address), it will use the >> loopback interface. >>=20 >> This is due to the local routing table which will be looked up first: >>=20 >> [root(a)ipfire ~]# ip rule >> 0: from all lookup local >> 128: from all lookup 220 >> 220: from all lookup 220 >> 32765: from all lookup static >> 32766: from all lookup main >> 32767: from all lookup default >>=20 >> It contains: >>=20 >> [root(a)ipfire ~]# ip route show table local >> local 8x.1x.1x.1x dev ppp0 proto kernel scope host src 8x.1x.1x.1x >> local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 >> local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 >> broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 >> local 192.168.x.1 dev green0 proto kernel scope host src 192.168.x.1 >> broadcast 192.168.x.255 dev green0 proto kernel scope link src 192.168.x.1 >>=20 >> Any lookup for the green IP address will show this: >>=20 >> local 192.168.x.1 dev lo table local src 192.168.x.1 uid 0 >> cache >>=20 >> A test ping shows this in tcpdump: >>=20 >> [root(a)ipfire ~]# tcpdump -i any icmp -nn >> tcpdump: data link type LINUX_SLL2 >> tcpdump: verbose output suppressed, use -v[v]... for full protocol decode >> listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length= 262144 bytes >> 17:24:22.864293 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id= 10420, seq 1, length 64 >> 17:24:22.864422 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 1= 0420, seq 1, length 64 >> 17:24:29.162021 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo request= , id 1555, seq 1, length 64 >> 17:24:29.162201 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo reply, = id 1555, seq 1, length 64 >>=20 >> For this reason, we will have to accept any source and destination IP >> address on the loopback interface, which is what this patch does. >>=20 >> We can however, continue to check whether we received any packets with >> the loopback address on any other interface. >>=20 >> This regression was introduced in commit a36cd34e. >>=20 >> Fixes: #12776 - New spoofed or martian filter block >> Signed-off-by: Arne Fitzenreiter >> Signed-off-by: Michael Tremer >> --- >> src/initscripts/system/firewall | 10 +++------- >> 1 file changed, 3 insertions(+), 7 deletions(-) >>=20 >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fire= wall >> index 48653ff57..fc355cd5d 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -200,14 +200,10 @@ iptables_init() { >> iptables -A INPUT -j ICMPINPUT >> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >>=20 >> - # Accept everything on loopback if source/destination is loopback space.= .. >> + # Accept everything on loopback >> iptables -N LOOPBACK >> - iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT >> - iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT >> - >> - # ... and drop everything else on the loopback interface, since no other= traffic should appear there >> - iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN >> - iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN >> + iptables -A LOOPBACK -i lo -j ACCEPT >> + iptables -A LOOPBACK -o lo -j ACCEPT >>=20 >> # Filter all packets with loopback addresses on non-loopback interfaces (= spoofed) >> iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN --===============1625665976483378290==--