From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] avoid emitting VPN traffic to the internet if the IPS crashed
Date: Mon, 27 Jan 2020 15:33:16 +0000
Message-ID: <EF923138-655B-4225-8408-FF0DB62834AD@ipfire.org>
In-Reply-To: <831d6fe4-8851-326a-450f-ac14a017479a@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8708763895354228038=="
List-Id: <development.lists.ipfire.org>

--===============8708763895354228038==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 27 Jan 2020, at 15:04, Peter M=C3=BCller <peter.mueller(a)ipfire.org> wr=
ote:
>=20
> Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or
> OpenVPN) destinations was emitted to the internet (ppp0 or red0
> interface) directly if the IPS was enabled but crashed during operation.
>=20
> This patch places the IPSECBLOCK and OVPNBLOCK chains before the
> ones responsible for forwarding traffic into the IPS.
>=20
> Thanks to Michael for his debugging effort.
>=20
> Partially fixes #12257
>=20
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
>=20
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew=
all
> index ec396c708..ab144ea18 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -185,14 +185,6 @@ iptables_init() {
> 	iptables -A INPUT -j GUARDIAN
> 	iptables -A FORWARD -j GUARDIAN
>=20
> -	# IPS (suricata) chains
> -	iptables -N IPS_INPUT
> -	iptables -N IPS_FORWARD
> -	iptables -N IPS_OUTPUT
> -	iptables -A INPUT -j IPS_INPUT
> -	iptables -A FORWARD -j IPS_FORWARD
> -	iptables -A OUTPUT -j IPS_OUTPUT
> -
> 	# Block non-established IPsec networks
> 	iptables -N IPSECBLOCK
> 	iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
> @@ -204,6 +196,14 @@ iptables_init() {
> 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
> 	iptables -A FORWARD -o tun+ -j OVPNBLOCK
>=20
> +	# IPS (suricata) chains
> +	iptables -N IPS_INPUT
> +	iptables -N IPS_FORWARD
> +	iptables -N IPS_OUTPUT
> +	iptables -A INPUT -j IPS_INPUT
> +	iptables -A FORWARD -j IPS_FORWARD
> +	iptables -A OUTPUT -j IPS_OUTPUT
> +
> 	# OpenVPN transfer network translation
> 	iptables -t nat -N OVPNNAT
> 	iptables -t nat -A POSTROUTING -j OVPNNAT
> --=20
> 2.16.4


--===============8708763895354228038==--