From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets Date: Wed, 19 Jan 2022 08:25:49 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1665780290331917756==" List-Id: --===============1665780290331917756== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Agreed. > On 18 Jan 2022, at 21:22, Peter M=C3=BCller wr= ote: >=20 > Hello Michael, >=20 > thanks for your reply. >=20 > Since I already put that patchset into my temporary development branch for = Core Update 164, > I will work on a dedicated patch for renaming the variables instead of reve= rting these and > submit a second version of the patchset. Don=E2=80=99t merge prematurely :) >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >=20 >> Hello, >>=20 >>> On 8 Jan 2022, at 11:43, Peter M=C3=BCller w= rote: >>>=20 >>> Hello Michael, >>>=20 >>>> You will always drop any packets sent to this chain, but you won=E2=80= =99t always log them. >>>>=20 >>>> Is this what you intended? >>>=20 >>> yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we als= o have things >>> like "DROPNEWNOTSYN", which is actually just an option for toggling loggi= ng of such >>> packets. >>>=20 >>> Should I update the misleading "DROP*" variables as well to keep things c= onsistent? >>=20 >> Yes. I would say so. I like things when they are tidy. >>=20 >> -Michael >>=20 >>>=20 >>> Thanks, and best regards, >>> Peter M=C3=BCller >>>=20 >>>=20 >>>> Hello, >>>>=20 >>>>> On 18 Dec 2021, at 13:48, Peter M=C3=BCller wrote: >>>>>=20 >>>>> Traffic from and to 127.0.0.0/8 must only appear on the loopback >>>>> interface, never on any other interface. This ensures offending packets >>>>> are logged, and the loopback interface cannot be abused for processing >>>>> traffic from and to any other networks. >>>>>=20 >>>>> Signed-off-by: Peter M=C3=BCller >>>>> --- >>>>> src/initscripts/system/firewall | 24 ++++++++++++++++++------ >>>>> 1 file changed, 18 insertions(+), 6 deletions(-) >>>>>=20 >>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/f= irewall >>>>> index cc5baa292..1c62c6e2c 100644 >>>>> --- a/src/initscripts/system/firewall >>>>> +++ b/src/initscripts/system/firewall >>>>> @@ -80,6 +80,14 @@ iptables_init() { >>>>> fi >>>>> iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" >>>>>=20 >>>>> + # Log and subsequently drop spoofed packets or "martians", arriving f= rom sources >>>>> + # on interfaces where we don't expect them >>>>> + iptables -N SPOOFED_MARTIAN >>>>> + if [ "$DROPSPOOFEDMARTIAN" =3D=3D "on" ]; then >>>>=20 >>>> DROP? Shouldn=E2=80=99t the variable be called LOGSPOOFEDMARTIAN? >>>>=20 >>>> You will always drop any packets sent to this chain, but you won=E2=80= =99t always log them. >>>>=20 >>>> Is this what you intended? >>>>=20 >>>>> + iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --lo= g-prefix "DROP_SPOOFED_MARTIAN " >>>>> + fi >>>>> + iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFE= D_MARTIAN" >>>>> + >>>>> # Chain to contain all the rules relating to bad TCP flags >>>>> iptables -N BADTCP >>>>>=20 >>>>> @@ -177,14 +185,18 @@ iptables_init() { >>>>> iptables -A INPUT -j ICMPINPUT >>>>> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >>>>>=20 >>>>> - # Accept everything on loopback >>>>> + # Accept everything on loopback if source/destination is loopback spa= ce... >>>>> iptables -N LOOPBACK >>>>> - iptables -A LOOPBACK -i lo -j ACCEPT >>>>> - iptables -A LOOPBACK -o lo -j ACCEPT >>>>> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT >>>>> + iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT >>>>> + >>>>> + # ... and drop everything else on the loopback interface, since no ot= her traffic should appear there >>>>> + iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN >>>>> + iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN >>>>>=20 >>>>> - # Filter all packets with loopback addresses on non-loopback interfac= es. >>>>> - iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >>>>> - iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP >>>>> + # Filter all packets with loopback addresses on non-loopback interfac= es (spoofed) >>>>> + iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN >>>>> + iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN >>>>>=20 >>>>> for i in INPUT FORWARD OUTPUT; do >>>>> iptables -A ${i} -j LOOPBACK >>>>> --=20 >>>>> 2.26.2 >>>>=20 >>=20 --===============1665780290331917756==--