From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets Date: Tue, 18 Jan 2022 21:22:36 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4190303632575558695==" List-Id: --===============4190303632575558695== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your reply. Since I already put that patchset into my temporary development branch for Co= re Update 164, I will work on a dedicated patch for renaming the variables instead of revert= ing these and submit a second version of the patchset. Thanks, and best regards, Peter M=C3=BCller > Hello, >=20 >> On 8 Jan 2022, at 11:43, Peter M=C3=BCller wr= ote: >> >> Hello Michael, >> >>> You will always drop any packets sent to this chain, but you won=E2=80=99= t always log them. >>> >>> Is this what you intended? >> >> yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also= have things >> like "DROPNEWNOTSYN", which is actually just an option for toggling loggin= g of such >> packets. >> >> Should I update the misleading "DROP*" variables as well to keep things co= nsistent? >=20 > Yes. I would say so. I like things when they are tidy. >=20 > -Michael >=20 >> >> Thanks, and best regards, >> Peter M=C3=BCller >> >> >>> Hello, >>> >>>> On 18 Dec 2021, at 13:48, Peter M=C3=BCller = wrote: >>>> >>>> Traffic from and to 127.0.0.0/8 must only appear on the loopback >>>> interface, never on any other interface. This ensures offending packets >>>> are logged, and the loopback interface cannot be abused for processing >>>> traffic from and to any other networks. >>>> >>>> Signed-off-by: Peter M=C3=BCller >>>> --- >>>> src/initscripts/system/firewall | 24 ++++++++++++++++++------ >>>> 1 file changed, 18 insertions(+), 6 deletions(-) >>>> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fi= rewall >>>> index cc5baa292..1c62c6e2c 100644 >>>> --- a/src/initscripts/system/firewall >>>> +++ b/src/initscripts/system/firewall >>>> @@ -80,6 +80,14 @@ iptables_init() { >>>> fi >>>> iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" >>>> >>>> + # Log and subsequently drop spoofed packets or "martians", arriving fr= om sources >>>> + # on interfaces where we don't expect them >>>> + iptables -N SPOOFED_MARTIAN >>>> + if [ "$DROPSPOOFEDMARTIAN" =3D=3D "on" ]; then >>> >>> DROP? Shouldn=E2=80=99t the variable be called LOGSPOOFEDMARTIAN? >>> >>> You will always drop any packets sent to this chain, but you won=E2=80=99= t always log them. >>> >>> Is this what you intended? >>> >>>> + iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log= -prefix "DROP_SPOOFED_MARTIAN " >>>> + fi >>>> + iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED= _MARTIAN" >>>> + >>>> # Chain to contain all the rules relating to bad TCP flags >>>> iptables -N BADTCP >>>> >>>> @@ -177,14 +185,18 @@ iptables_init() { >>>> iptables -A INPUT -j ICMPINPUT >>>> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >>>> >>>> - # Accept everything on loopback >>>> + # Accept everything on loopback if source/destination is loopback spac= e... >>>> iptables -N LOOPBACK >>>> - iptables -A LOOPBACK -i lo -j ACCEPT >>>> - iptables -A LOOPBACK -o lo -j ACCEPT >>>> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT >>>> + iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT >>>> + >>>> + # ... and drop everything else on the loopback interface, since no oth= er traffic should appear there >>>> + iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN >>>> + iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN >>>> >>>> - # Filter all packets with loopback addresses on non-loopback interface= s. >>>> - iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >>>> - iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP >>>> + # Filter all packets with loopback addresses on non-loopback interface= s (spoofed) >>>> + iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN >>>> + iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN >>>> >>>> for i in INPUT FORWARD OUTPUT; do >>>> iptables -A ${i} -j LOOPBACK >>>> --=20 >>>> 2.26.2 >>> >=20 --===============4190303632575558695==--