From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets
Date: Wed, 19 Jan 2022 08:25:49 +0000 [thread overview]
Message-ID: <C5F341C6-C652-49D6-8F99-2CBA0B2E2C3B@ipfire.org> (raw)
In-Reply-To: <cd94bc2d-87ec-62bf-06d2-de3577588ed0@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4211 bytes --]
Agreed.
> On 18 Jan 2022, at 21:22, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Hello Michael,
>
> thanks for your reply.
>
> Since I already put that patchset into my temporary development branch for Core Update 164,
> I will work on a dedicated patch for renaming the variables instead of reverting these and
> submit a second version of the patchset.
Don’t merge prematurely :)
>
> Thanks, and best regards,
> Peter Müller
>
>
>> Hello,
>>
>>> On 8 Jan 2022, at 11:43, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>
>>> Hello Michael,
>>>
>>>> You will always drop any packets sent to this chain, but you won’t always log them.
>>>>
>>>> Is this what you intended?
>>>
>>> yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things
>>> like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such
>>> packets.
>>>
>>> Should I update the misleading "DROP*" variables as well to keep things consistent?
>>
>> Yes. I would say so. I like things when they are tidy.
>>
>> -Michael
>>
>>>
>>> Thanks, and best regards,
>>> Peter Müller
>>>
>>>
>>>> Hello,
>>>>
>>>>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>>
>>>>> Traffic from and to 127.0.0.0/8 must only appear on the loopback
>>>>> interface, never on any other interface. This ensures offending packets
>>>>> are logged, and the loopback interface cannot be abused for processing
>>>>> traffic from and to any other networks.
>>>>>
>>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>>> ---
>>>>> src/initscripts/system/firewall | 24 ++++++++++++++++++------
>>>>> 1 file changed, 18 insertions(+), 6 deletions(-)
>>>>>
>>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>>>> index cc5baa292..1c62c6e2c 100644
>>>>> --- a/src/initscripts/system/firewall
>>>>> +++ b/src/initscripts/system/firewall
>>>>> @@ -80,6 +80,14 @@ iptables_init() {
>>>>> fi
>>>>> iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
>>>>>
>>>>> + # Log and subsequently drop spoofed packets or "martians", arriving from sources
>>>>> + # on interfaces where we don't expect them
>>>>> + iptables -N SPOOFED_MARTIAN
>>>>> + if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
>>>>
>>>> DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
>>>>
>>>> You will always drop any packets sent to this chain, but you won’t always log them.
>>>>
>>>> Is this what you intended?
>>>>
>>>>> + iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN "
>>>>> + fi
>>>>> + iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
>>>>> +
>>>>> # Chain to contain all the rules relating to bad TCP flags
>>>>> iptables -N BADTCP
>>>>>
>>>>> @@ -177,14 +185,18 @@ iptables_init() {
>>>>> iptables -A INPUT -j ICMPINPUT
>>>>> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>>>>>
>>>>> - # Accept everything on loopback
>>>>> + # Accept everything on loopback if source/destination is loopback space...
>>>>> iptables -N LOOPBACK
>>>>> - iptables -A LOOPBACK -i lo -j ACCEPT
>>>>> - iptables -A LOOPBACK -o lo -j ACCEPT
>>>>> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
>>>>> + iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
>>>>> +
>>>>> + # ... and drop everything else on the loopback interface, since no other traffic should appear there
>>>>> + iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
>>>>> + iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
>>>>>
>>>>> - # Filter all packets with loopback addresses on non-loopback interfaces.
>>>>> - iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
>>>>> - iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
>>>>> + # Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
>>>>> + iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
>>>>> + iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
>>>>>
>>>>> for i in INPUT FORWARD OUTPUT; do
>>>>> iptables -A ${i} -j LOOPBACK
>>>>> --
>>>>> 2.26.2
>>>>
>>
next prev parent reply other threads:[~2022-01-19 8:25 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-18 13:46 [PATCH 00/11] firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection Peter Müller
2021-12-18 13:47 ` [PATCH 01/11] firewall: Log packets dropped due to conntrack INVALID state Peter Müller
2021-12-18 13:47 ` [PATCH 02/11] firewall: Accept inbound Tor traffic before applying the location filter Peter Müller
2022-01-07 16:58 ` Michael Tremer
2022-01-08 11:38 ` Peter Müller
2021-12-18 13:48 ` [PATCH 03/11] firewall: Log and drop spoofed loopback packets Peter Müller
2022-01-07 17:01 ` Michael Tremer
2022-01-08 11:43 ` Peter Müller
2022-01-16 15:14 ` Michael Tremer
2022-01-18 21:22 ` Peter Müller
2022-01-19 8:25 ` Michael Tremer [this message]
2021-12-18 13:48 ` [PATCH 04/11] firewall: Prevent spoofing our own RED IP address Peter Müller
2021-12-18 13:48 ` [PATCH 05/11] firewall: Introduce DROP_HOSTILE Peter Müller
2022-01-07 17:04 ` Michael Tremer
2022-01-08 10:39 ` Peter Müller
2021-12-18 13:49 ` [PATCH 06/11] optionsfw.cgi: Make logging of spoofed/martians packets and the DROP_HOSTILE filter configurable Peter Müller
2021-12-18 13:49 ` [PATCH 07/11] Update German and English translation files Peter Müller
2021-12-18 13:49 ` [PATCH 08/11] collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN} Peter Müller
2021-12-18 13:49 ` [PATCH 09/11] graphs.pl: Display spoofed and hostile traffic in firewall hits diagram as well Peter Müller
2021-12-18 13:50 ` [PATCH 10/11] configroot: Enable logging of spoofed packets/martians by default Peter Müller
2021-12-18 13:50 ` [PATCH 11/11] configroot: Drop traffic from and to hostile networks " Peter Müller
2022-01-07 16:57 ` [PATCH 00/11] firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C5F341C6-C652-49D6-8F99-2CBA0B2E2C3B@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox