From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] firewall: Accept traffic on loopback interface if source
 and destination are within 127.0.0.0/8 only
Date: Tue, 19 May 2020 09:21:19 +0100
Message-ID: <B5D73A3A-41B2-4BFB-AD51-5141E10A713D@ipfire.org>
In-Reply-To: <166B06A6-A5A1-4E69-8277-B21690ED842F@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0907358797826982214=="
List-Id: <development.lists.ipfire.org>

--===============0907358797826982214==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

False alarm. Turns out this isn=E2=80=99t merged, yet.

Best,
-Michael

> On 19 May 2020, at 09:20, Michael Tremer <michael.tremer(a)ipfire.org> wrot=
e:
>=20
> Okay, thanks for testing this.
>=20
> I will ask Arne to revert it.
>=20
> -Michael
>=20
>> On 18 May 2020, at 22:03, Matthias Fischer <matthias.fischer(a)ipfire.org>=
 wrote:
>>=20
>> Hi,
>>=20
>> perhaps its only me, but after applying this patch for testing purposes
>> I don't see any (redirected) urlfilter block pages anymore.
>>=20
>> Only the firewall logs are telling me:
>>=20
>> ...
>> REJECT_INPUT lo TCP 192.168.100.254 53464 192.168.100.254 81
>> ...
>>=20
>> I had to build a new "Incoming Firewall Access" rule (INPUTFW) allowing
>> TCP traffic from (e.g.) 192.168.100.254/32 to GREEN (192.168.100.254) to
>> TCP port 81 to see a block page again...
>>=20
>> Only me?
>>=20
>> Best,
>> Matthias
>>=20
>> On 14.05.2020 12:36, Michael Tremer wrote:
>>> Hello,
>>>=20
>>> This is indeed *very* unlikely, but I am okay with this patch being accep=
ted.
>>>=20
>>> Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>
>>>=20
>>> Best,
>>> -Michael
>>>=20
>>>> On 13 May 2020, at 21:21, Peter M=C3=BCller <peter.mueller(a)ipfire.org>=
 wrote:
>>>>=20
>>>> This ensures traffic on the loopback interface matches the IPv4
>>>> loopback characteristics (source and destination are within 127.0.0.0/8)
>>>> and prevents any damage in the unlikely case of non-loopback traffic
>>>> being injected/emitted (in)to the loopback interface.
>>>>=20
>>>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
>>>> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
>>>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>>>> ---
>>>> src/initscripts/system/firewall | 6 +++---
>>>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>>>=20
>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fi=
rewall
>>>> index 00512d9fa..409aaf7a9 100644
>>>> --- a/src/initscripts/system/firewall
>>>> +++ b/src/initscripts/system/firewall
>>>> @@ -219,10 +219,10 @@ iptables_init() {
>>>> 	iptables -A INPUT -j ICMPINPUT
>>>> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>>>>=20
>>>> -	# Accept everything on loopback
>>>> +	# Accept everything on loopback if both source and destination are wit=
hin 127.0.0.0/8
>>>> 	iptables -N LOOPBACK
>>>> -	iptables -A LOOPBACK -i lo -j ACCEPT
>>>> -	iptables -A LOOPBACK -o lo -j ACCEPT
>>>> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
>>>> +	iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
>>>>=20
>>>> 	# Filter all packets with loopback addresses on non-loopback interfaces.
>>>> 	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
>>>> --=20
>>>> 2.26.1
>>>=20
>>=20
>=20


--===============0907358797826982214==--