From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: [PATCH] firewall: Accept traffic on loopback interface if source and destination are within 127.0.0.0/8 only Date: Tue, 19 May 2020 22:23:18 +0200 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9015388019954486735==" List-Id: --===============9015388019954486735== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, sorry, no idea. The only thing I've found is that "squidGuard uses Squid's [8]standard redirector interface". *If* 'squidguard' is the culprit here. Best, Matthias On 19.05.2020 15:06, Peter M=C3=BCller wrote: > Hello Matthias, hello list, >=20 > why is that traffic passing through the loopback interface?! >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >> Hi, >>=20 >> perhaps its only me, but after applying this patch for testing purposes >> I don't see any (redirected) urlfilter block pages anymore. >>=20 >> Only the firewall logs are telling me: >>=20 >> ... >> REJECT_INPUT lo TCP 192.168.100.254 53464 192.168.100.254 81 >> ... >>=20 >> I had to build a new "Incoming Firewall Access" rule (INPUTFW) allowing >> TCP traffic from (e.g.) 192.168.100.254/32 to GREEN (192.168.100.254) to >> TCP port 81 to see a block page again... >>=20 >> Only me? >>=20 >> Best, >> Matthias >>=20 >> On 14.05.2020 12:36, Michael Tremer wrote: >>> Hello, >>> >>> This is indeed *very* unlikely, but I am okay with this patch being accep= ted. >>> >>> Acked-by: Michael Tremer >>> >>> Best, >>> -Michael >>> >>>> On 13 May 2020, at 21:21, Peter M=C3=BCller = wrote: >>>> >>>> This ensures traffic on the loopback interface matches the IPv4 >>>> loopback characteristics (source and destination are within 127.0.0.0/8) >>>> and prevents any damage in the unlikely case of non-loopback traffic >>>> being injected/emitted (in)to the loopback interface. >>>> >>>> Cc: Arne Fitzenreiter >>>> Cc: Michael Tremer >>>> Signed-off-by: Peter M=C3=BCller >>>> --- >>>> src/initscripts/system/firewall | 6 +++--- >>>> 1 file changed, 3 insertions(+), 3 deletions(-) >>>> >>>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fi= rewall >>>> index 00512d9fa..409aaf7a9 100644 >>>> --- a/src/initscripts/system/firewall >>>> +++ b/src/initscripts/system/firewall >>>> @@ -219,10 +219,10 @@ iptables_init() { >>>> iptables -A INPUT -j ICMPINPUT >>>> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >>>> >>>> - # Accept everything on loopback >>>> + # Accept everything on loopback if both source and destination are wit= hin 127.0.0.0/8 >>>> iptables -N LOOPBACK >>>> - iptables -A LOOPBACK -i lo -j ACCEPT >>>> - iptables -A LOOPBACK -o lo -j ACCEPT >>>> + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>>> + iptables -A LOOPBACK -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT >>>> >>>> # Filter all packets with loopback addresses on non-loopback interfaces. >>>> iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP >>>> --=20 >>>> 2.26.1 >>> >>=20 >=20 --===============9015388019954486735==--