From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] firewall: always allow outgoing DNS traffic to root servers Date: Thu, 26 Sep 2019 16:25:13 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1953899687051286142==" List-Id: --===============1953899687051286142== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 25 Sep 2019, at 20:45, peter.mueller(a)ipfire.org wrote: >=20 > Allowing outgoing DNS traffic (destination port 53, both TCP > and UDP) to the root servers is BCP for some reasons. First, > RFC 5011 assumes resolvers are able to fetch new trust ancors > from the root servers for a certain time period in order to > do key rollovers. >=20 > Second, Unbound shows some side effects if it cannot do trust > anchor signaling (see RFC 8145) or fetch the current trust anchor, > resulting in SERVFAILs for arbitrary requests a few minutes. >=20 > There is little security implication of allowing DNS traffic > to the root servers: An attacker might abuse this for exfiltrating > data via DNS queries, but is unable to infiltrate data unless > he gains control over at least one root server instance. If > there is no firewall ruleset in place which prohibits any other > DNS traffic than to chosen DNS servers, this patch will not > have security implications at all. I think we need to document this on the wiki before we merge this patch. > Fixes #12183 >=20 > Cc: Michael Tremer > Suggested-by: Horace Michael > Signed-off-by: Peter M=C3=BCller > --- > config/rootfiles/core/137/filelists/files | 1 + > src/initscripts/system/firewall | 16 ++++++++++++++-- > 2 files changed, 15 insertions(+), 2 deletions(-) >=20 > diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/c= ore/137/filelists/files > index ce4e51768..a02840d12 100644 > --- a/config/rootfiles/core/137/filelists/files > +++ b/config/rootfiles/core/137/filelists/files > @@ -1,4 +1,5 @@ > etc/system-release > etc/issue > +etc/rc.d/init.d/firewall > srv/web/ipfire/cgi-bin/credits.cgi > var/ipfire/langs > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew= all > index ec396c708..ff63a2ede 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -6,10 +6,11 @@ > eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) > eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) > -IFACE=3D`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\01= 2'` > +ROOTHINTS=3D"/etc/unbound/root.hints" > +IFACE=3D$( /bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\= 012' ) >=20 > if [ -f /var/ipfire/red/device ]; then > - DEVICE=3D`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '= \012'` > + DEVICE=3D$( /bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d= '\012' ) > fi Why the added whitespace? Should have been an extra patch. >=20 > function iptables() { > @@ -307,6 +308,17 @@ iptables_init() { > iptables -A INPUT -j TOR_INPUT > iptables -N TOR_OUTPUT > iptables -A OUTPUT -j TOR_OUTPUT > + > + # Allow outgoing DNS traffic (TCP and UDP) to DNS root servers > + ROOTSERVERIPS=3D"$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} | xargs )" > + ipset -N root-servers iphash ROOTSERVERIPS could have been an array and could have been local. You do not need to call xargs. It is a rather expensive way to remove line br= eaks. > + > + for ip in ${ROOTSERVERIPS}; do > + ipset add root-servers $ip > + done It is also interesting that ipset does not allow to add more IP addresses in = one go. This looks like a very expensive loop for a lot of IP addresses. I th= ink this is fine here for about a dozen addresses, but importing a blacklist = of thousands or tens of thousands of IP addresses will take a long time. > + > + iptables -A OUTPUT -m set --match-set root-servers dst -p tcp --dport 53 = -j ACCEPT > + iptables -A OUTPUT -m set --match-set root-servers dst -p udp --dport 53 = -j ACCEPT > =09 > # Jump into the actual firewall ruleset. > iptables -N INPUTFW > --=20 > 2.16.4 -Michael --===============1953899687051286142==--