From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 04/11] firewall: Prevent spoofing our own RED IP address
Date: Sat, 18 Dec 2021 14:48:33 +0100
Message-ID: <cefdbc89-1f80-456f-cb51-5740336d000a@ipfire.org>
In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4150738984497398393=="
List-Id: <development.lists.ipfire.org>

--===============4150738984497398393==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

There is no legitimate reason why traffic from our own IP address on RED
should ever appear incoming on that interface.

This prevents attackers from impersonating IPFire itself, and is only
cleared/reset if the RED interface is brought up. Therefore, an attacker
cannot bypass this by foring a dial-up or DHCP connection to break down.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 src/initscripts/system/firewall | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 1c62c6e2c..9e62c0245 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -374,6 +374,17 @@ iptables_red_up() {
 	iptables -F REDFORWARD
 	iptables -t nat -F REDNAT
 
+	# Prohibit spoofing our own IP address on RED
+	if [ -f /var/ipfire/red/active ]; then
+		REDIP="$( cat /var/ipfire/red/local-ipaddress )";
+
+		if [ "$IFACE" != "" ]; then
+			iptables -A REDINPUT -s $REDIP -i $IFACE -j SPOOFED_MARTIAN
+		elif [ "$DEVICE" != "" ]; then
+			iptables -A REDINPUT -s $REDIP -i $DEVICE -j SPOOFED_MARTIAN
+		fi
+	fi
+
 	# PPPoE / PPTP Device
 	if [ "$IFACE" != "" ]; then
 		# PPPoE / PPTP
-- 
2.26.2

--===============4150738984497398393==--