From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 00/11] firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection Date: Fri, 07 Jan 2022 16:57:45 +0000 Message-ID: In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9084262222009321118==" List-Id: --===============9084262222009321118== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, I would like to make it short since I already said how much I like this on th= e video call=E2=80=A6 Please see my replies to the individual patches. -Michael > On 18 Dec 2021, at 13:46, Peter M=C3=BCller wr= ote: >=20 > This patchset improves IPFire's firewall engine by... >=20 > (a) improved logging of spoofed packets and martians >=20 > (b) prevention of spoofing attempts on RED's interface IP address >=20 > (c) dropping traffic from and to networks known to pose a technical threat = to > IPFire users (see https://git.ipfire.org/?p=3Dlocation/libloc.git;a=3Dco= mmit;h=3D69b3d894fbee6e94afc2a79593f7f6b300b88c10 > for details) by default on new installations, doing so in a dedicated, e= asy > to configure IPtables chain. > Sadly, a decent fraction of our userbase does not bother creating any fi= rewall > rules at all, so any outbound traffic is allowed on their networks. Ther= efore, > preventing them from reaching the "baddest of the bad" makes sense for a= basic > detection of their devices and networks. > Any sane IPS configuration would already cover the networks in question,= so > most IPFire machines running a decent IPS policy will already drop the o= ffending > traffic, albeit in a rather costly way. >=20 > Please note this patchset needs additional commits for the Core Update it is > intended to go to, such as shipping the changed files, and adding sane defa= ults > to existing installations in /var/ipfire/optionsfw/settings. >=20 > See also: #12031 >=20 > Peter M=C3=BCller (11): > firewall: Log packets dropped due to conntrack INVALID state > firewall: Accept inbound Tor traffic before applying the location > filter > firewall: Log and drop spoofed loopback packets > firewall: Prevent spoofing our own RED IP address > firewall: Introduce DROP_HOSTILE > optionsfw.cgi: Make logging of spoofed/martians packets and the > DROP_HOSTILE filter configurable > Update German and English translation files > collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN} > graphs.pl: Display spoofed and hostile traffic in firewall hits > diagram as well > configroot: Enable logging of spoofed packets/martians by default > configroot: Drop traffic from and to hostile networks by default >=20 > config/cfgroot/graphs.pl | 22 ++++++-- > config/collectd/collectd.conf | 2 + > html/cgi-bin/optionsfw.cgi | 96 +++++++++++++++++++++++++++------ > langs/de/cgi-bin/de.pl | 9 +++- > langs/en/cgi-bin/en.pl | 7 ++- > lfs/configroot | 4 +- > src/initscripts/system/firewall | 63 +++++++++++++++++----- > 7 files changed, 166 insertions(+), 37 deletions(-) >=20 > --=20 > 2.26.2 --===============9084262222009321118==--