From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets Date: Sun, 16 Jan 2022 15:14:24 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4702059747866787632==" List-Id: --===============4702059747866787632== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 8 Jan 2022, at 11:43, Peter M=C3=BCller wro= te: >=20 > Hello Michael, >=20 >> You will always drop any packets sent to this chain, but you won=E2=80=99t= always log them. >>=20 >> Is this what you intended? >=20 > yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also = have things > like "DROPNEWNOTSYN", which is actually just an option for toggling logging= of such > packets. >=20 > Should I update the misleading "DROP*" variables as well to keep things con= sistent? Yes. I would say so. I like things when they are tidy. -Michael >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >=20 >> Hello, >>=20 >>> On 18 Dec 2021, at 13:48, Peter M=C3=BCller = wrote: >>>=20 >>> Traffic from and to 127.0.0.0/8 must only appear on the loopback >>> interface, never on any other interface. This ensures offending packets >>> are logged, and the loopback interface cannot be abused for processing >>> traffic from and to any other networks. >>>=20 >>> Signed-off-by: Peter M=C3=BCller >>> --- >>> src/initscripts/system/firewall | 24 ++++++++++++++++++------ >>> 1 file changed, 18 insertions(+), 6 deletions(-) >>>=20 >>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fir= ewall >>> index cc5baa292..1c62c6e2c 100644 >>> --- a/src/initscripts/system/firewall >>> +++ b/src/initscripts/system/firewall >>> @@ -80,6 +80,14 @@ iptables_init() { >>> fi >>> iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" >>>=20 >>> + # Log and subsequently drop spoofed packets or "martians", arriving fro= m sources >>> + # on interfaces where we don't expect them >>> + iptables -N SPOOFED_MARTIAN >>> + if [ "$DROPSPOOFEDMARTIAN" =3D=3D "on" ]; then >>=20 >> DROP? Shouldn=E2=80=99t the variable be called LOGSPOOFEDMARTIAN? >>=20 >> You will always drop any packets sent to this chain, but you won=E2=80=99t= always log them. >>=20 >> Is this what you intended? >>=20 >>> + iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-= prefix "DROP_SPOOFED_MARTIAN " >>> + fi >>> + iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_= MARTIAN" >>> + >>> # Chain to contain all the rules relating to bad TCP flags >>> iptables -N BADTCP >>>=20 >>> @@ -177,14 +185,18 @@ iptables_init() { >>> iptables -A INPUT -j ICMPINPUT >>> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >>>=20 >>> - # Accept everything on loopback >>> + # Accept everything on loopback if source/destination is loopback space= ... >>> iptables -N LOOPBACK >>> - iptables -A LOOPBACK -i lo -j ACCEPT >>> - iptables -A LOOPBACK -o lo -j ACCEPT >>> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT >>> + iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT >>> + >>> + # ... and drop everything else on the loopback interface, since no othe= r traffic should appear there >>> + iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN >>> + iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN >>>=20 >>> - # Filter all packets with loopback addresses on non-loopback interfaces. >>> - iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >>> - iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP >>> + # Filter all packets with loopback addresses on non-loopback interfaces= (spoofed) >>> + iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN >>> + iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN >>>=20 >>> for i in INPUT FORWARD OUTPUT; do >>> iptables -A ${i} -j LOOPBACK >>> --=20 >>> 2.26.2 >>=20 --===============4702059747866787632==--