Hello Michael,
thanks for your reply.
Hello,
I do not quite understand the rationale for this switch. Why would the user need to change this?
See below.
You are talking about asymmetric routing which requires this to be configured in loose mode. Did you have a setup like this?
No, but you mentioned IPFire installations running such setups a few times to me, and that we cannot use strict Reverse Path Forwarding there because that would break asymmetric routing.
And if so, I would just recommend to revert the original change that clearly seems to be incompatible with some installations then.
I think that is a misunderstanding: There is no original change; actually, I am trying to introduce a change that would improve IPFire's security for most users, while providing the remaining userbase fraction a possibility to disable that improvement, so they can continue to use IPFire.
I do no see that this is desirable for the user to control. It is complicated to understand what is happening here and the benefits are so marginal (if there are any at all) that I don’t think this is worth it.
Strict Reverse Path Forwarding renders classes of spoofing attacks void. Especially for internal attacks, I do think being resistant to spoofing is a security benefit.
This is a complex topic indeed, and most users probably won't understand this in general. I am afraid I do not have a solution to that, which is why I propose to turn this on on new installations, and recommend users to change it only if they know precisely what they are doing.
Hope to have your questions answered. :-)
Thanks, and best regards, Peter Müller
-Michael
On 18 Apr 2022, at 19:27, Peter Müller peter.mueller@ipfire.org wrote:
For the vast majority of IPFire installations (i. e. those who do not make use of asymmetric routing), it is safe to run the Linux kernel's Reverse Path Forwarding in 'strict' mode, as specified in RFC 3704, section 2.2, significantly hampering spoofing attacks.
However, we cannot switch to this operating mode globally, since (a) some IPFire installations cannot use it and (b) we need to avoid a breaking change on this end.
Therefore, this patch adds a switch to the firewall options CGI, permitting users to choose between 'loose' and 'strict' RPF mode, whereas 'loose' is the current default. On existing installations, this should be left untouched - although users are urged to check whether they can switch to the 'strict' mode -; similar to the 'drop hostile' feature, this should be set to 'strict' by default on new installations.
Since only a sysctl is changed under the hood, changes do not require a reboot, but an execution of the /etc/rc.d/init.d/sysctl initscript. The corresponding misc-prog has been adjusted to reflect this.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
html/cgi-bin/optionsfw.cgi | 18 ++++++++++++++++++ langs/de/cgi-bin/de.pl | 3 +++ langs/en/cgi-bin/en.pl | 5 ++++- src/initscripts/system/sysctl | 11 ++++++++++- src/misc-progs/firewallctrl.c | 1 + 5 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index fbff67b2f..72a4cddc8 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -158,6 +158,9 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele $selected{'MASQUERADE_BLUE'}{'off'} = ''; $selected{'MASQUERADE_BLUE'}{'on'} = ''; $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; +$checked{'RPFORWARDINGMODE'}{'loose'} = ''; +$checked{'RPFORWARDINGMODE'}{'strict'} = ''; +$checked{'RPFORWARDINGMODE'}{$settings{'RPFORWARDINGMODE'}} = "checked='checked'";
&Header::openbox('100%', 'center',); print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; @@ -334,6 +337,21 @@ END
</table>
<br /> + +<table width='95%' cellspacing='0'> + <tr bgcolor='$color{'color20'}'> + <td colspan='2' align='left'><b>$Lang::tr{'reverse path forwarding'}</b></td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'reverse path forwarding mode'}</td> + <td align='left'> + $Lang::tr{'strict'} <input type='radio' name='RPFORWARDINGMODE' value='strict' $checked{'RPFORWARDINGMODE'}{'strict'} />/ + <input type='radio' name='RPFORWARDINGMODE' value='loose' $checked{'RPFORWARDINGMODE'}{'loose'} /> $Lang::tr{'loose'} + </td> + </tr> +</table> +<br> + <table width='100%' cellspacing='0'> <tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' /> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 6094c191a..047d47fe0 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1623,6 +1623,7 @@ 'logging server' => 'Protokollierungsserver', 'loginlogout' => 'Login/Logout', 'logs' => 'Protokolldateien', +'loose' => 'locker', 'loosedirectorychecking' => 'Loose directorychecking', 'low' => 'Niedrig', 'ls_dhcpd' => 'DHCP-Server:', @@ -2159,6 +2160,8 @@ 'restore defaults' => 'Voreinstellungen wiederherstellen', 'restore hardware settings' => 'Hardwareeinstellungen wiederherstellen', 'restore settings' => 'Einstellungen wiederherstellen', +'reverse path forwarding' => 'Reverse Path Forwarding', +'reverse path forwarding mode' => 'Betriebsmodus des Reverse Path Forwarding (siehe <a href="https://datatracker.ietf.org/doc/html/rfc3704#section-2" target="_blank">RFC 3704, Abschnitt 2</a>)', 'reverse sort' => 'In umgekehrter chronologischer Reihenfolge sortieren', 'root' => 'Root', 'root certificate' => 'Root-Zertifikat', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 510ed095b..80d8f7f1a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1671,6 +1671,7 @@ 'logging server' => 'Logging Server', 'loginlogout' => 'Login/Logout', 'logs' => 'logs', +'loose' => 'loose', 'loosedirectorychecking' => 'Loosedirectorychecking', 'low' => 'Low', 'ls_dhcpd' => 'DHCP Server:', @@ -2211,6 +2212,8 @@ 'restore defaults' => 'Restore defaults', 'restore hardware settings' => 'Restore hardware settings', 'restore settings' => 'Reset Settings', +'reverse path forwarding' => 'Reverse Path Forwarding', +'reverse path forwarding mode' => 'Operating mode of Reverse Path Forwarding (see <a href="https://datatracker.ietf.org/doc/html/rfc3704#section-2" target="_blank">RFC 3704, section 2</a>)', 'reverse sort' => 'Sort in reverse chronological order', 'root' => 'Root', 'root certificate' => 'Root Certificate', @@ -2394,7 +2397,7 @@ 'stop' => 'Stop', 'stop ovpn server' => 'Stop OpenVPN Server', 'stopped' => 'STOPPED', -'strict' => 'Strict', +'strict' => 'strict', 'subject' => 'Subject', 'subject test' => 'Teste-mail', 'subject warn' => 'Warning - warnlevel reached', diff --git a/src/initscripts/system/sysctl b/src/initscripts/system/sysctl index 8897c1faa..c7aebbc8d 100644 --- a/src/initscripts/system/sysctl +++ b/src/initscripts/system/sysctl @@ -22,6 +22,8 @@ . /etc/sysconfig/rc . ${rc_functions}
+eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
case "${1}" in start) if [ -f "/etc/sysctl.conf" ]; then @@ -29,7 +31,7 @@ case "${1}" in sysctl -q -p evaluate_retval fi
arch=`uname -m`
case "${arch}" in armv*) arch="armv6l":arch=$(uname -m)
@@ -40,6 +42,13 @@ case "${1}" in sysctl -q -p /etc/sysctl-${arch}.conf evaluate_retval fi
if [ "$RPFORWARDINGMODE" == "strict" ]; then
boot_mesg "Setting Reverse Path Forwarding mode to 'strict'..."
sysctl -q -w net.ipv4.conf.all.rp_filter=1
evaluate_retval
fi
;;
status)
diff --git a/src/misc-progs/firewallctrl.c b/src/misc-progs/firewallctrl.c index 0f176597d..b6756b0b1 100644 --- a/src/misc-progs/firewallctrl.c +++ b/src/misc-progs/firewallctrl.c @@ -13,6 +13,7 @@ int main(int argc, char *argv[]) { if (!(initsetuid())) exit(1);
safe_system("/etc/rc.d/init.d/sysctl start"); int retval = safe_system("/usr/lib/firewall/rules.pl");
/* If rules.pl has been successfully executed, the indicator
-- 2.34.1