Hello,
On 8 Jan 2022, at 11:43, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
You will always drop any packets sent to this chain, but you won’t always log them.
Is this what you intended?
yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such packets.
Should I update the misleading "DROP*" variables as well to keep things consistent?
Yes. I would say so. I like things when they are tidy.
-Michael
Thanks, and best regards, Peter Müller
Hello,
On 18 Dec 2021, at 13:48, Peter Müller peter.mueller@ipfire.org wrote:
Traffic from and to 127.0.0.0/8 must only appear on the loopback interface, never on any other interface. This ensures offending packets are logged, and the loopback interface cannot be abused for processing traffic from and to any other networks.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index cc5baa292..1c62c6e2c 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -80,6 +80,14 @@ iptables_init() { fi iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
- # Log and subsequently drop spoofed packets or "martians", arriving from sources
- # on interfaces where we don't expect them
- iptables -N SPOOFED_MARTIAN
- if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
You will always drop any packets sent to this chain, but you won’t always log them.
Is this what you intended?
iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN "- fi
- iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
- # Chain to contain all the rules relating to bad TCP flags iptables -N BADTCP
@@ -177,14 +185,18 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
- # Accept everything on loopback
- # Accept everything on loopback if source/destination is loopback space... iptables -N LOOPBACK
- iptables -A LOOPBACK -i lo -j ACCEPT
- iptables -A LOOPBACK -o lo -j ACCEPT
- iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
- iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
- # ... and drop everything else on the loopback interface, since no other traffic should appear there
- iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
- iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
- # Filter all packets with loopback addresses on non-loopback interfaces.
- iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
- iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j LOOPBACK
-- 2.26.2