Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3941 bytes --]

Hello Michael,

thanks for your reply.

Since I already put that patchset into my temporary development branch for Core Update 164,
I will work on a dedicated patch for renaming the variables instead of reverting these and
submit a second version of the patchset.

Thanks, and best regards,
Peter Müller


> Hello,
> 
>> On 8 Jan 2022, at 11:43, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> Hello Michael,
>>
>>> You will always drop any packets sent to this chain, but you won’t always log them.
>>>
>>> Is this what you intended?
>>
>> yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things
>> like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such
>> packets.
>>
>> Should I update the misleading "DROP*" variables as well to keep things consistent?
> 
> Yes. I would say so. I like things when they are tidy.
> 
> -Michael
> 
>>
>> Thanks, and best regards,
>> Peter Müller
>>
>>
>>> Hello,
>>>
>>>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>>>
>>>> Traffic from and to 127.0.0.0/8 must only appear on the loopback
>>>> interface, never on any other interface. This ensures offending packets
>>>> are logged, and the loopback interface cannot be abused for processing
>>>> traffic from and to any other networks.
>>>>
>>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>>>> ---
>>>> src/initscripts/system/firewall | 24 ++++++++++++++++++------
>>>> 1 file changed, 18 insertions(+), 6 deletions(-)
>>>>
>>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>>>> index cc5baa292..1c62c6e2c 100644
>>>> --- a/src/initscripts/system/firewall
>>>> +++ b/src/initscripts/system/firewall
>>>> @@ -80,6 +80,14 @@ iptables_init() {
>>>> 	fi
>>>> 	iptables -A NEWNOTSYN  -j DROP -m comment --comment "DROP_NEWNOTSYN"
>>>>
>>>> +	# Log and subsequently drop spoofed packets or "martians", arriving from sources
>>>> +	# on interfaces where we don't expect them
>>>> +	iptables -N SPOOFED_MARTIAN
>>>> +	if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
>>>
>>> DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
>>>
>>> You will always drop any packets sent to this chain, but you won’t always log them.
>>>
>>> Is this what you intended?
>>>
>>>> +		iptables -A SPOOFED_MARTIAN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_SPOOFED_MARTIAN "
>>>> +	fi
>>>> +	iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
>>>> +
>>>> 	# Chain to contain all the rules relating to bad TCP flags
>>>> 	iptables -N BADTCP
>>>>
>>>> @@ -177,14 +185,18 @@ iptables_init() {
>>>> 	iptables -A INPUT -j ICMPINPUT
>>>> 	iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
>>>>
>>>> -	# Accept everything on loopback
>>>> +	# Accept everything on loopback if source/destination is loopback space...
>>>> 	iptables -N LOOPBACK
>>>> -	iptables -A LOOPBACK -i lo -j ACCEPT
>>>> -	iptables -A LOOPBACK -o lo -j ACCEPT
>>>> +	iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
>>>> +	iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
>>>> +
>>>> +	# ... and drop everything else on the loopback interface, since no other traffic should appear there
>>>> +	iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
>>>> +	iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
>>>>
>>>> -	# Filter all packets with loopback addresses on non-loopback interfaces.
>>>> -	iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
>>>> -	iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
>>>> +	# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
>>>> +	iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
>>>> +	iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
>>>>
>>>> 	for i in INPUT FORWARD OUTPUT; do
>>>> 		iptables -A ${i} -j LOOPBACK
>>>> -- 
>>>> 2.26.2
>>>
>