From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] firewall/sysctl: Make Reverse Path Forwarding mode configurable Date: Tue, 19 Apr 2022 12:01:41 +0000 Message-ID: In-Reply-To: <315C91D0-FD75-4F42-995E-7A0B2C81F959@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4863329452519646954==" List-Id: --===============4863329452519646954== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your reply. > Hello, >=20 > I do not quite understand the rationale for this switch. Why would the user= need to change this? See below. >=20 > You are talking about asymmetric routing which requires this to be configur= ed in loose mode. Did you have a setup like this? No, but you mentioned IPFire installations running such setups a few times to= me, and that we cannot use strict Reverse Path Forwarding there because that would break asymmetric = routing. > And if so, I would just recommend to revert the original change that clearl= y seems to be incompatible with some installations then. I think that is a misunderstanding: There is no original change; actually, I = am trying to introduce a change that would improve IPFire's security for most users, while providing t= he remaining userbase fraction a possibility to disable that improvement, so they can continue to u= se IPFire. > I do no see that this is desirable for the user to control. It is complicat= ed to understand what is happening here and the benefits are so marginal (if = there are any at all) that I don=E2=80=99t think this is worth it. Strict Reverse Path Forwarding renders classes of spoofing attacks void. Espe= cially for internal attacks, I do think being resistant to spoofing is a security benefit. This is a complex topic indeed, and most users probably won't understand this= in general. I am afraid I do not have a solution to that, which is why I propose to turn this on on new in= stallations, and recommend users to change it only if they know precisely what they are doing. Hope to have your questions answered. :-) Thanks, and best regards, Peter M=C3=BCller >=20 > -Michael >=20 >> On 18 Apr 2022, at 19:27, Peter M=C3=BCller w= rote: >> >> For the vast majority of IPFire installations (i. e. those who do not >> make use of asymmetric routing), it is safe to run the Linux kernel's >> Reverse Path Forwarding in 'strict' mode, as specified in RFC 3704, >> section 2.2, significantly hampering spoofing attacks. >> >> However, we cannot switch to this operating mode globally, since (a) >> some IPFire installations cannot use it and (b) we need to avoid a >> breaking change on this end. >> >> Therefore, this patch adds a switch to the firewall options CGI, >> permitting users to choose between 'loose' and 'strict' RPF mode, >> whereas 'loose' is the current default. On existing installations, this >> should be left untouched - although users are urged to check whether >> they can switch to the 'strict' mode -; similar to the 'drop hostile' >> feature, this should be set to 'strict' by default on new installations. >> >> Since only a sysctl is changed under the hood, changes do not require a >> reboot, but an execution of the /etc/rc.d/init.d/sysctl initscript. The >> corresponding misc-prog has been adjusted to reflect this. >> >> Signed-off-by: Peter M=C3=BCller >> --- >> html/cgi-bin/optionsfw.cgi | 18 ++++++++++++++++++ >> langs/de/cgi-bin/de.pl | 3 +++ >> langs/en/cgi-bin/en.pl | 5 ++++- >> src/initscripts/system/sysctl | 11 ++++++++++- >> src/misc-progs/firewallctrl.c | 1 + >> 5 files changed, 36 insertions(+), 2 deletions(-) >> >> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi >> index fbff67b2f..72a4cddc8 100644 >> --- a/html/cgi-bin/optionsfw.cgi >> +++ b/html/cgi-bin/optionsfw.cgi >> @@ -158,6 +158,9 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_O= RANGE'}} =3D 'selected=3D"sele >> $selected{'MASQUERADE_BLUE'}{'off'} =3D ''; >> $selected{'MASQUERADE_BLUE'}{'on'} =3D ''; >> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} =3D 'selected= =3D"selected"'; >> +$checked{'RPFORWARDINGMODE'}{'loose'} =3D ''; >> +$checked{'RPFORWARDINGMODE'}{'strict'} =3D ''; >> +$checked{'RPFORWARDINGMODE'}{$settings{'RPFORWARDINGMODE'}} =3D "checked= =3D'checked'"; >> >> &Header::openbox('100%', 'center',); >> print "
"; >> @@ -334,6 +337,21 @@ END >> >> >>
>> + >> + >> + >> + >> + >> + >> + >> + >> + >> +
$Lang::tr{'reverse path forwarding'= }
$Lang::tr{'reverse path forwarding mod= e'} >> + $Lang::tr{'strict'} / >> + $Lang::tr{'loose'} >> +
>> +
>> + >> >>
>> >> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl >> index 6094c191a..047d47fe0 100644 >> --- a/langs/de/cgi-bin/de.pl >> +++ b/langs/de/cgi-bin/de.pl >> @@ -1623,6 +1623,7 @@ >> 'logging server' =3D> 'Protokollierungsserver', >> 'loginlogout' =3D> 'Login/Logout', >> 'logs' =3D> 'Protokolldateien', >> +'loose' =3D> 'locker', >> 'loosedirectorychecking' =3D> 'Loose directorychecking', >> 'low' =3D> 'Niedrig', >> 'ls_dhcpd' =3D> 'DHCP-Server:', >> @@ -2159,6 +2160,8 @@ >> 'restore defaults' =3D> 'Voreinstellungen wiederherstellen', >> 'restore hardware settings' =3D> 'Hardwareeinstellungen wiederherstellen', >> 'restore settings' =3D> 'Einstellungen wiederherstellen', >> +'reverse path forwarding' =3D> 'Reverse Path Forwarding', >> +'reverse path forwarding mode' =3D> 'Betriebsmodus des Reverse Path Forwa= rding (siehe RFC 3704, Abschnitt 2)', >> 'reverse sort' =3D> 'In umgekehrter chronologischer Reihenfolge sortieren', >> 'root' =3D> 'Root', >> 'root certificate' =3D> 'Root-Zertifikat', >> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl >> index 510ed095b..80d8f7f1a 100644 >> --- a/langs/en/cgi-bin/en.pl >> +++ b/langs/en/cgi-bin/en.pl >> @@ -1671,6 +1671,7 @@ >> 'logging server' =3D> 'Logging Server', >> 'loginlogout' =3D> 'Login/Logout', >> 'logs' =3D> 'logs', >> +'loose' =3D> 'loose', >> 'loosedirectorychecking' =3D> 'Loosedirectorychecking', >> 'low' =3D> 'Low', >> 'ls_dhcpd' =3D> 'DHCP Server:', >> @@ -2211,6 +2212,8 @@ >> 'restore defaults' =3D> 'Restore defaults', >> 'restore hardware settings' =3D> 'Restore hardware settings', >> 'restore settings' =3D> 'Reset Settings', >> +'reverse path forwarding' =3D> 'Reverse Path Forwarding', >> +'reverse path forwarding mode' =3D> 'Operating mode of Reverse Path Forwa= rding (see RFC 3704, section 2)', >> 'reverse sort' =3D> 'Sort in reverse chronological order', >> 'root' =3D> 'Root', >> 'root certificate' =3D> 'Root Certificate', >> @@ -2394,7 +2397,7 @@ >> 'stop' =3D> 'Stop', >> 'stop ovpn server' =3D> 'Stop OpenVPN Server', >> 'stopped' =3D> 'STOPPED', >> -'strict' =3D> 'Strict', >> +'strict' =3D> 'strict', >> 'subject' =3D> 'Subject', >> 'subject test' =3D> 'Teste-mail', >> 'subject warn' =3D> 'Warning - warnlevel reached', >> diff --git a/src/initscripts/system/sysctl b/src/initscripts/system/sysctl >> index 8897c1faa..c7aebbc8d 100644 >> --- a/src/initscripts/system/sysctl >> +++ b/src/initscripts/system/sysctl >> @@ -22,6 +22,8 @@ >> . /etc/sysconfig/rc >> . ${rc_functions} >> >> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) >> + >> case "${1}" in >> start) >> if [ -f "/etc/sysctl.conf" ]; then >> @@ -29,7 +31,7 @@ case "${1}" in >> sysctl -q -p >> evaluate_retval >> fi >> - arch=3D`uname -m` >> + arch=3D$(uname -m) >> case "${arch}" in >> armv*) >> arch=3D"armv6l": >> @@ -40,6 +42,13 @@ case "${1}" in >> sysctl -q -p /etc/sysctl-${arch}.conf >> evaluate_retval >> fi >> + >> + if [ "$RPFORWARDINGMODE" =3D=3D "strict" ]; then >> + boot_mesg "Setting Reverse Path Forwarding mode to 'strict'..." >> + sysctl -q -w net.ipv4.conf.all.rp_filter=3D1 >> + evaluate_retval >> + fi >> + >> ;; >> >> status) >> diff --git a/src/misc-progs/firewallctrl.c b/src/misc-progs/firewallctrl.c >> index 0f176597d..b6756b0b1 100644 >> --- a/src/misc-progs/firewallctrl.c >> +++ b/src/misc-progs/firewallctrl.c >> @@ -13,6 +13,7 @@ int main(int argc, char *argv[]) { >> if (!(initsetuid())) >> exit(1); >> >> + safe_system("/etc/rc.d/init.d/sysctl start"); >> int retval =3D safe_system("/usr/lib/firewall/rules.pl"); >> >> /* If rules.pl has been successfully executed, the indicator >> --=20 >> 2.34.1 >=20 --===============4863329452519646954==--