There is no legitimate reason why traffic from our own IP address on RED should ever appear incoming on that interface.
This prevents attackers from impersonating IPFire itself, and is only cleared/reset if the RED interface is brought up. Therefore, an attacker cannot bypass this by foring a dial-up or DHCP connection to break down.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/firewall | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 1c62c6e2c..9e62c0245 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -374,6 +374,17 @@ iptables_red_up() { iptables -F REDFORWARD iptables -t nat -F REDNAT
+ # Prohibit spoofing our own IP address on RED + if [ -f /var/ipfire/red/active ]; then + REDIP="$( cat /var/ipfire/red/local-ipaddress )"; + + if [ "$IFACE" != "" ]; then + iptables -A REDINPUT -s $REDIP -i $IFACE -j SPOOFED_MARTIAN + elif [ "$DEVICE" != "" ]; then + iptables -A REDINPUT -s $REDIP -i $DEVICE -j SPOOFED_MARTIAN + fi + fi + # PPPoE / PPTP Device if [ "$IFACE" != "" ]; then # PPPoE / PPTP