From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 03/11] firewall: Log and drop spoofed loopback packets Date: Sat, 08 Jan 2022 12:43:03 +0100 Message-ID: In-Reply-To: <944746CA-5121-4DB9-905F-66E251DA6288@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7197806903807795875==" List-Id: --===============7197806903807795875== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, > You will always drop any packets sent to this chain, but you won=E2=80=99t = always log them. >=20 > Is this what you intended? yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also ha= ve things like "DROPNEWNOTSYN", which is actually just an option for toggling logging o= f such packets. Should I update the misleading "DROP*" variables as well to keep things consi= stent? Thanks, and best regards, Peter M=C3=BCller > Hello, >=20 >> On 18 Dec 2021, at 13:48, Peter M=C3=BCller w= rote: >> >> Traffic from and to 127.0.0.0/8 must only appear on the loopback >> interface, never on any other interface. This ensures offending packets >> are logged, and the loopback interface cannot be abused for processing >> traffic from and to any other networks. >> >> Signed-off-by: Peter M=C3=BCller >> --- >> src/initscripts/system/firewall | 24 ++++++++++++++++++------ >> 1 file changed, 18 insertions(+), 6 deletions(-) >> >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fire= wall >> index cc5baa292..1c62c6e2c 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -80,6 +80,14 @@ iptables_init() { >> fi >> iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" >> >> + # Log and subsequently drop spoofed packets or "martians", arriving from= sources >> + # on interfaces where we don't expect them >> + iptables -N SPOOFED_MARTIAN >> + if [ "$DROPSPOOFEDMARTIAN" =3D=3D "on" ]; then >=20 > DROP? Shouldn=E2=80=99t the variable be called LOGSPOOFEDMARTIAN? >=20 > You will always drop any packets sent to this chain, but you won=E2=80=99t = always log them. >=20 > Is this what you intended? >=20 >> + iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-p= refix "DROP_SPOOFED_MARTIAN " >> + fi >> + iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_M= ARTIAN" >> + >> # Chain to contain all the rules relating to bad TCP flags >> iptables -N BADTCP >> >> @@ -177,14 +185,18 @@ iptables_init() { >> iptables -A INPUT -j ICMPINPUT >> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >> >> - # Accept everything on loopback >> + # Accept everything on loopback if source/destination is loopback space.= .. >> iptables -N LOOPBACK >> - iptables -A LOOPBACK -i lo -j ACCEPT >> - iptables -A LOOPBACK -o lo -j ACCEPT >> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT >> + iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT >> + >> + # ... and drop everything else on the loopback interface, since no other= traffic should appear there >> + iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN >> + iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN >> >> - # Filter all packets with loopback addresses on non-loopback interfaces. >> - iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >> - iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP >> + # Filter all packets with loopback addresses on non-loopback interfaces = (spoofed) >> + iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN >> + iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN >> >> for i in INPUT FORWARD OUTPUT; do >> iptables -A ${i} -j LOOPBACK >> --=20 >> 2.26.2 >=20 --===============7197806903807795875==--