This patchset improves IPFire's firewall engine by...
(a) improved logging of spoofed packets and martians
(b) prevention of spoofing attempts on RED's interface IP address
(c) dropping traffic from and to networks known to pose a technical threat to IPFire users (see https://git.ipfire.org/?p=location/libloc.git;a=commit;h=69b3d894fbee6e94afc... for details) by default on new installations, doing so in a dedicated, easy to configure IPtables chain. Sadly, a decent fraction of our userbase does not bother creating any firewall rules at all, so any outbound traffic is allowed on their networks. Therefore, preventing them from reaching the "baddest of the bad" makes sense for a basic detection of their devices and networks. Any sane IPS configuration would already cover the networks in question, so most IPFire machines running a decent IPS policy will already drop the offending traffic, albeit in a rather costly way.
Please note this patchset needs additional commits for the Core Update it is intended to go to, such as shipping the changed files, and adding sane defaults to existing installations in /var/ipfire/optionsfw/settings.
See also: #12031
Peter Müller (11): firewall: Log packets dropped due to conntrack INVALID state firewall: Accept inbound Tor traffic before applying the location filter firewall: Log and drop spoofed loopback packets firewall: Prevent spoofing our own RED IP address firewall: Introduce DROP_HOSTILE optionsfw.cgi: Make logging of spoofed/martians packets and the DROP_HOSTILE filter configurable Update German and English translation files collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN} graphs.pl: Display spoofed and hostile traffic in firewall hits diagram as well configroot: Enable logging of spoofed packets/martians by default configroot: Drop traffic from and to hostile networks by default
config/cfgroot/graphs.pl | 22 ++++++-- config/collectd/collectd.conf | 2 + html/cgi-bin/optionsfw.cgi | 96 +++++++++++++++++++++++++++------ langs/de/cgi-bin/de.pl | 9 +++- langs/en/cgi-bin/en.pl | 7 ++- lfs/configroot | 4 +- src/initscripts/system/firewall | 63 +++++++++++++++++----- 7 files changed, 166 insertions(+), 37 deletions(-)
In case of faulty connection tracking, this ensures such packets are logged, to make analysing network incidents less troublesome. Since NewNotSYN is handled before, where logging can be turned off for systems running on weak flash devices, the amount of log messages emitted here should be neglectible.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/firewall | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 75ea8abdf..49c6b7bf9 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -110,7 +110,7 @@ iptables_init() { # Connection tracking chains iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT - iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP + iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
# Restore any connection marks @@ -136,7 +136,7 @@ iptables_init() { iptables -A INPUT -j P2PBLOCK iptables -A FORWARD -j P2PBLOCK iptables -A OUTPUT -j P2PBLOCK - + # IPS (Guardian) chains iptables -N GUARDIAN iptables -A INPUT -j GUARDIAN @@ -265,7 +265,7 @@ iptables_init() { iptables -A INPUT -j TOR_INPUT iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT - + # Jump into the actual firewall ruleset. iptables -N INPUTFW iptables -A INPUT -j INPUTFW
Inbound Tor traffic conflicts with Location block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into Location block chain.
Note this affects Tor relay operators only.
Rolled forward as ongoing from https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f..., note the documentation in the wiki needs to be updated once this landed in production.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 49c6b7bf9..cc5baa292 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -227,6 +227,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi
+ # Tor (inbound) + iptables -N TOR_INPUT + iptables -A INPUT -j TOR_INPUT + # Location Block iptables -N LOCATIONBLOCK iptables -A INPUT -j LOCATIONBLOCK @@ -260,9 +264,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT
- # Tor (inbound and outbound) - iptables -N TOR_INPUT - iptables -A INPUT -j TOR_INPUT + # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT
Hello,
Can we make sure this is well documented somewhere?
Generally we said that the location filter comes first and this will change that behaviour.
Best, -Michael
On 18 Dec 2021, at 13:47, Peter Müller peter.mueller@ipfire.org wrote:
Inbound Tor traffic conflicts with Location block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into Location block chain.
Note this affects Tor relay operators only.
Rolled forward as ongoing from https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f..., note the documentation in the wiki needs to be updated once this landed in production.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 49c6b7bf9..cc5baa292 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -227,6 +227,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi
- # Tor (inbound)
- iptables -N TOR_INPUT
- iptables -A INPUT -j TOR_INPUT
- # Location Block iptables -N LOCATIONBLOCK iptables -A INPUT -j LOCATIONBLOCK
@@ -260,9 +264,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT
- # Tor (inbound and outbound)
- iptables -N TOR_INPUT
- iptables -A INPUT -j TOR_INPUT
- # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT
-- 2.26.2
Hello Michael,
thanks for your reply.
Well, there is a diagram at the bottom of https://wiki.ipfire.org/configuration/firewall/iptables, which will need to be updated. However, it currently still says "GEOIPBLOCK" instead of "LOCATIONBLOCK", so it's outdated anyway, and I don't know what source it is generated from.
Aside from that, mentioning the change on https://wiki.ipfire.org/configuration/firewall/geoip-block needs to be done. I can take care of this.
Thanks, and best regards, Peter Müller
Hello,
Can we make sure this is well documented somewhere?
Generally we said that the location filter comes first and this will change that behaviour.
Best, -Michael
On 18 Dec 2021, at 13:47, Peter Müller peter.mueller@ipfire.org wrote:
Inbound Tor traffic conflicts with Location block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into Location block chain.
Note this affects Tor relay operators only.
Rolled forward as ongoing from https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f..., note the documentation in the wiki needs to be updated once this landed in production.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 49c6b7bf9..cc5baa292 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -227,6 +227,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi
- # Tor (inbound)
- iptables -N TOR_INPUT
- iptables -A INPUT -j TOR_INPUT
- # Location Block iptables -N LOCATIONBLOCK iptables -A INPUT -j LOCATIONBLOCK
@@ -260,9 +264,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT
- # Tor (inbound and outbound)
- iptables -N TOR_INPUT
- iptables -A INPUT -j TOR_INPUT
- # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT
-- 2.26.2
Peter,
Well, there is a diagram at the bottom of https://wiki.ipfire.org/configuration/firewall/iptables, which will need to be updated. However, it currently still says "GEOIPBLOCK" instead of "LOCATIONBLOCK", so it's outdated anyway, and I don't know what source it is generated from.
It is from H&M https://community.ipfire.org/u/hjkl @hjkl: https://community.ipfire.org/t/location-block-filter-strictly-before-fw-inpu... https://community.ipfire.org/t/location-block-filter-strictly-before-fw-input/3870/11?u=jon
Jon
On Jan 8, 2022, at 5:38 AM, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thanks for your reply.
Well, there is a diagram at the bottom of https://wiki.ipfire.org/configuration/firewall/iptables, which will need to be updated. However, it currently still says "GEOIPBLOCK" instead of "LOCATIONBLOCK", so it's outdated anyway, and I don't know what source it is generated from.
Aside from that, mentioning the change on https://wiki.ipfire.org/configuration/firewall/geoip-block needs to be done. I can take care of this.
Thanks, and best regards, Peter Müller
Hello,
Can we make sure this is well documented somewhere?
Generally we said that the location filter comes first and this will change that behaviour.
Best, -Michael
On 18 Dec 2021, at 13:47, Peter Müller peter.mueller@ipfire.org wrote:
Inbound Tor traffic conflicts with Location block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into Location block chain.
Note this affects Tor relay operators only.
Rolled forward as ongoing from https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f..., note the documentation in the wiki needs to be updated once this landed in production.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 49c6b7bf9..cc5baa292 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -227,6 +227,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi
- # Tor (inbound)
- iptables -N TOR_INPUT
- iptables -A INPUT -j TOR_INPUT
- # Location Block iptables -N LOCATIONBLOCK iptables -A INPUT -j LOCATIONBLOCK
@@ -260,9 +264,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT
- # Tor (inbound and outbound)
- iptables -N TOR_INPUT
- iptables -A INPUT -j TOR_INPUT
- # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT
-- 2.26.2
Traffic from and to 127.0.0.0/8 must only appear on the loopback interface, never on any other interface. This ensures offending packets are logged, and the loopback interface cannot be abused for processing traffic from and to any other networks.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/firewall | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index cc5baa292..1c62c6e2c 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -80,6 +80,14 @@ iptables_init() { fi iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
+ # Log and subsequently drop spoofed packets or "martians", arriving from sources + # on interfaces where we don't expect them + iptables -N SPOOFED_MARTIAN + if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then + iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN " + fi + iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN" + # Chain to contain all the rules relating to bad TCP flags iptables -N BADTCP
@@ -177,14 +185,18 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
- # Accept everything on loopback + # Accept everything on loopback if source/destination is loopback space... iptables -N LOOPBACK - iptables -A LOOPBACK -i lo -j ACCEPT - iptables -A LOOPBACK -o lo -j ACCEPT + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT + iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT + + # ... and drop everything else on the loopback interface, since no other traffic should appear there + iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN + iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
- # Filter all packets with loopback addresses on non-loopback interfaces. - iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP - iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP + # Filter all packets with loopback addresses on non-loopback interfaces (spoofed) + iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN + iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j LOOPBACK
Hello,
On 18 Dec 2021, at 13:48, Peter Müller peter.mueller@ipfire.org wrote:
Traffic from and to 127.0.0.0/8 must only appear on the loopback interface, never on any other interface. This ensures offending packets are logged, and the loopback interface cannot be abused for processing traffic from and to any other networks.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index cc5baa292..1c62c6e2c 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -80,6 +80,14 @@ iptables_init() { fi iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
- # Log and subsequently drop spoofed packets or "martians", arriving from sources
- # on interfaces where we don't expect them
- iptables -N SPOOFED_MARTIAN
- if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
You will always drop any packets sent to this chain, but you won’t always log them.
Is this what you intended?
iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN "- fi
- iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
- # Chain to contain all the rules relating to bad TCP flags iptables -N BADTCP
@@ -177,14 +185,18 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
- # Accept everything on loopback
- # Accept everything on loopback if source/destination is loopback space... iptables -N LOOPBACK
- iptables -A LOOPBACK -i lo -j ACCEPT
- iptables -A LOOPBACK -o lo -j ACCEPT
- iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
- iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
- # ... and drop everything else on the loopback interface, since no other traffic should appear there
- iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
- iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
- # Filter all packets with loopback addresses on non-loopback interfaces.
- iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
- iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j LOOPBACK
-- 2.26.2
Hello Michael,
You will always drop any packets sent to this chain, but you won’t always log them.
Is this what you intended?
yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such packets.
Should I update the misleading "DROP*" variables as well to keep things consistent?
Thanks, and best regards, Peter Müller
Hello,
On 18 Dec 2021, at 13:48, Peter Müller peter.mueller@ipfire.org wrote:
Traffic from and to 127.0.0.0/8 must only appear on the loopback interface, never on any other interface. This ensures offending packets are logged, and the loopback interface cannot be abused for processing traffic from and to any other networks.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index cc5baa292..1c62c6e2c 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -80,6 +80,14 @@ iptables_init() { fi iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
- # Log and subsequently drop spoofed packets or "martians", arriving from sources
- # on interfaces where we don't expect them
- iptables -N SPOOFED_MARTIAN
- if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
You will always drop any packets sent to this chain, but you won’t always log them.
Is this what you intended?
iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN "- fi
- iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
- # Chain to contain all the rules relating to bad TCP flags iptables -N BADTCP
@@ -177,14 +185,18 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
- # Accept everything on loopback
- # Accept everything on loopback if source/destination is loopback space... iptables -N LOOPBACK
- iptables -A LOOPBACK -i lo -j ACCEPT
- iptables -A LOOPBACK -o lo -j ACCEPT
- iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
- iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
- # ... and drop everything else on the loopback interface, since no other traffic should appear there
- iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
- iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
- # Filter all packets with loopback addresses on non-loopback interfaces.
- iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
- iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j LOOPBACK
-- 2.26.2
Hello,
On 8 Jan 2022, at 11:43, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
You will always drop any packets sent to this chain, but you won’t always log them.
Is this what you intended?
yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such packets.
Should I update the misleading "DROP*" variables as well to keep things consistent?
Yes. I would say so. I like things when they are tidy.
-Michael
Thanks, and best regards, Peter Müller
Hello,
On 18 Dec 2021, at 13:48, Peter Müller peter.mueller@ipfire.org wrote:
Traffic from and to 127.0.0.0/8 must only appear on the loopback interface, never on any other interface. This ensures offending packets are logged, and the loopback interface cannot be abused for processing traffic from and to any other networks.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index cc5baa292..1c62c6e2c 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -80,6 +80,14 @@ iptables_init() { fi iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
- # Log and subsequently drop spoofed packets or "martians", arriving from sources
- # on interfaces where we don't expect them
- iptables -N SPOOFED_MARTIAN
- if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
You will always drop any packets sent to this chain, but you won’t always log them.
Is this what you intended?
iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN "- fi
- iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
- # Chain to contain all the rules relating to bad TCP flags iptables -N BADTCP
@@ -177,14 +185,18 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
- # Accept everything on loopback
- # Accept everything on loopback if source/destination is loopback space... iptables -N LOOPBACK
- iptables -A LOOPBACK -i lo -j ACCEPT
- iptables -A LOOPBACK -o lo -j ACCEPT
- iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
- iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
- # ... and drop everything else on the loopback interface, since no other traffic should appear there
- iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
- iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
- # Filter all packets with loopback addresses on non-loopback interfaces.
- iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
- iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j LOOPBACK
-- 2.26.2
Hello Michael,
thanks for your reply.
Since I already put that patchset into my temporary development branch for Core Update 164, I will work on a dedicated patch for renaming the variables instead of reverting these and submit a second version of the patchset.
Thanks, and best regards, Peter Müller
Hello,
On 8 Jan 2022, at 11:43, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
You will always drop any packets sent to this chain, but you won’t always log them.
Is this what you intended?
yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such packets.
Should I update the misleading "DROP*" variables as well to keep things consistent?
Yes. I would say so. I like things when they are tidy.
-Michael
Thanks, and best regards, Peter Müller
Hello,
On 18 Dec 2021, at 13:48, Peter Müller peter.mueller@ipfire.org wrote:
Traffic from and to 127.0.0.0/8 must only appear on the loopback interface, never on any other interface. This ensures offending packets are logged, and the loopback interface cannot be abused for processing traffic from and to any other networks.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index cc5baa292..1c62c6e2c 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -80,6 +80,14 @@ iptables_init() { fi iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
- # Log and subsequently drop spoofed packets or "martians", arriving from sources
- # on interfaces where we don't expect them
- iptables -N SPOOFED_MARTIAN
- if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
You will always drop any packets sent to this chain, but you won’t always log them.
Is this what you intended?
iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN "- fi
- iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
- # Chain to contain all the rules relating to bad TCP flags iptables -N BADTCP
@@ -177,14 +185,18 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
- # Accept everything on loopback
- # Accept everything on loopback if source/destination is loopback space... iptables -N LOOPBACK
- iptables -A LOOPBACK -i lo -j ACCEPT
- iptables -A LOOPBACK -o lo -j ACCEPT
- iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
- iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
- # ... and drop everything else on the loopback interface, since no other traffic should appear there
- iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
- iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
- # Filter all packets with loopback addresses on non-loopback interfaces.
- iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
- iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j LOOPBACK
-- 2.26.2
Agreed.
On 18 Jan 2022, at 21:22, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thanks for your reply.
Since I already put that patchset into my temporary development branch for Core Update 164, I will work on a dedicated patch for renaming the variables instead of reverting these and submit a second version of the patchset.
Don’t merge prematurely :)
Thanks, and best regards, Peter Müller
Hello,
On 8 Jan 2022, at 11:43, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
You will always drop any packets sent to this chain, but you won’t always log them.
Is this what you intended?
yes. "LOGSPOOFEDMARTIAN" would have been better indeed; currently, we also have things like "DROPNEWNOTSYN", which is actually just an option for toggling logging of such packets.
Should I update the misleading "DROP*" variables as well to keep things consistent?
Yes. I would say so. I like things when they are tidy.
-Michael
Thanks, and best regards, Peter Müller
Hello,
On 18 Dec 2021, at 13:48, Peter Müller peter.mueller@ipfire.org wrote:
Traffic from and to 127.0.0.0/8 must only appear on the loopback interface, never on any other interface. This ensures offending packets are logged, and the loopback interface cannot be abused for processing traffic from and to any other networks.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index cc5baa292..1c62c6e2c 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -80,6 +80,14 @@ iptables_init() { fi iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"
- # Log and subsequently drop spoofed packets or "martians", arriving from sources
- # on interfaces where we don't expect them
- iptables -N SPOOFED_MARTIAN
- if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then
DROP? Shouldn’t the variable be called LOGSPOOFEDMARTIAN?
You will always drop any packets sent to this chain, but you won’t always log them.
Is this what you intended?
iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN "- fi
- iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN"
- # Chain to contain all the rules relating to bad TCP flags iptables -N BADTCP
@@ -177,14 +185,18 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT
- # Accept everything on loopback
- # Accept everything on loopback if source/destination is loopback space... iptables -N LOOPBACK
- iptables -A LOOPBACK -i lo -j ACCEPT
- iptables -A LOOPBACK -o lo -j ACCEPT
- iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT
- iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT
- # ... and drop everything else on the loopback interface, since no other traffic should appear there
- iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN
- iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN
- # Filter all packets with loopback addresses on non-loopback interfaces.
- iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP
- iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP
# Filter all packets with loopback addresses on non-loopback interfaces (spoofed)
iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN
for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j LOOPBACK
-- 2.26.2
There is no legitimate reason why traffic from our own IP address on RED should ever appear incoming on that interface.
This prevents attackers from impersonating IPFire itself, and is only cleared/reset if the RED interface is brought up. Therefore, an attacker cannot bypass this by foring a dial-up or DHCP connection to break down.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/firewall | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 1c62c6e2c..9e62c0245 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -374,6 +374,17 @@ iptables_red_up() { iptables -F REDFORWARD iptables -t nat -F REDNAT
+ # Prohibit spoofing our own IP address on RED + if [ -f /var/ipfire/red/active ]; then + REDIP="$( cat /var/ipfire/red/local-ipaddress )"; + + if [ "$IFACE" != "" ]; then + iptables -A REDINPUT -s $REDIP -i $IFACE -j SPOOFED_MARTIAN + elif [ "$DEVICE" != "" ]; then + iptables -A REDINPUT -s $REDIP -i $DEVICE -j SPOOFED_MARTIAN + fi + fi + # PPPoE / PPTP Device if [ "$IFACE" != "" ]; then # PPPoE / PPTP
Similar to the Location block, this chain logs and drops all traffic from and to networks known to pose technical threats to IPFire users.
Doing so in a dedicated chain makes sense for transparency reasons, as we won't interfer with other firewall rules or the Location block, so it is always clear why a packet from or to such a network has been dropped.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/firewall | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 9e62c0245..ebc8168ae 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -139,6 +139,20 @@ iptables_init() { iptables -t nat -N CUSTOMPOSTROUTING iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
+ # Log and drop any traffic from and to networks known as being hostile, posing + # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) + if [ "$DROPHOSTILE" == "on" ]; then + iptables -N DROP_HOSTILE + iptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + + iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE + iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + + iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE" + fi + # P2PBLOCK iptables -N P2PBLOCK iptables -A INPUT -j P2PBLOCK
Hello,
I told you that you will need to export the lists before you can load them, but that seems to have been incorrect.
Whenever we download the database, we extract everything:
https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-locatio...
So this should always work.
-Michael
On 18 Dec 2021, at 13:48, Peter Müller peter.mueller@ipfire.org wrote:
Similar to the Location block, this chain logs and drops all traffic from and to networks known to pose technical threats to IPFire users.
Doing so in a dedicated chain makes sense for transparency reasons, as we won't interfer with other firewall rules or the Location block, so it is always clear why a packet from or to such a network has been dropped.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 9e62c0245..ebc8168ae 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -139,6 +139,20 @@ iptables_init() { iptables -t nat -N CUSTOMPOSTROUTING iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
- # Log and drop any traffic from and to networks known as being hostile, posing
- # a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
- if [ "$DROPHOSTILE" == "on" ]; then
iptables -N DROP_HOSTILEiptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILEiptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILEiptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILEiptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILEiptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"- fi
- # P2PBLOCK iptables -N P2PBLOCK iptables -A INPUT -j P2PBLOCK
-- 2.26.2
Hello Michael,
thanks for your reply.
This is good to know as I was surprised to see this working on my testing machine without any further exports/converting/${whatever} of the location database. :-)
Thanks, and best regards, Peter Müller
Hello,
I told you that you will need to export the lists before you can load them, but that seems to have been incorrect.
Whenever we download the database, we extract everything:
https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-locatio...
So this should always work.
-Michael
On 18 Dec 2021, at 13:48, Peter Müller peter.mueller@ipfire.org wrote:
Similar to the Location block, this chain logs and drops all traffic from and to networks known to pose technical threats to IPFire users.
Doing so in a dedicated chain makes sense for transparency reasons, as we won't interfer with other firewall rules or the Location block, so it is always clear why a packet from or to such a network has been dropped.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 9e62c0245..ebc8168ae 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -139,6 +139,20 @@ iptables_init() { iptables -t nat -N CUSTOMPOSTROUTING iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
- # Log and drop any traffic from and to networks known as being hostile, posing
- # a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
- if [ "$DROPHOSTILE" == "on" ]; then
iptables -N DROP_HOSTILEiptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILEiptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILEiptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILEiptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILEiptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"- fi
- # P2PBLOCK iptables -N P2PBLOCK iptables -A INPUT -j P2PBLOCK
-- 2.26.2
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- html/cgi-bin/optionsfw.cgi | 96 +++++++++++++++++++++++++++++++------- 1 file changed, 80 insertions(+), 16 deletions(-)
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 1ecf4f180..481d5bdbd 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2014-2020 IPFire Team info@ipfire.org # +# Copyright (C) 2014-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -110,6 +110,12 @@ $checked{'DROPWIRELESSINPUT'}{$settings{'DROPWIRELESSINPUT'}} = "checked='checke $checked{'DROPWIRELESSFORWARD'}{'off'} = ''; $checked{'DROPWIRELESSFORWARD'}{'on'} = ''; $checked{'DROPWIRELESSFORWARD'}{$settings{'DROPWIRELESSFORWARD'}} = "checked='checked'"; +$checked{'DROPSPOOFEDMARTIAN'}{'off'} = ''; +$checked{'DROPSPOOFEDMARTIAN'}{'on'} = ''; +$checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='checked'"; +$checked{'DROPHOSTILE'}{'off'} = ''; +$checked{'DROPHOSTILE'}{'on'} = ''; +$checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'"; $checked{'DROPPROXY'}{'off'} = ''; $checked{'DROPPROXY'}{'on'} = ''; $checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'"; @@ -195,24 +201,82 @@ END <br>
<table width='95%' cellspacing='0'> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ - <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}</td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop input'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ - <input type='radio' name='DROPINPUT' value='off' $checked{'DROPINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop forward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPFORWARD' value='on' $checked{'DROPFORWARD'}{'on'} />/ - <input type='radio' name='DROPFORWARD' value='off' $checked{'DROPFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop outgoing'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPOUTGOING' value='on' $checked{'DROPOUTGOING'}{'on'} />/ - <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ - <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ - <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ - <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr> + <tr bgcolor='$color{'color20'}'> + <td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'drop newnotsyn'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='DROPNEWNOTSYN' value='on' $checked{'DROPNEWNOTSYN'}{'on'} />/ + <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'drop input'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='DROPINPUT' value='on' $checked{'DROPINPUT'}{'on'} />/ + <input type='radio' name='DROPINPUT' value='off' $checked{'DROPINPUT'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'drop forward'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='DROPFORWARD' value='on' $checked{'DROPFORWARD'}{'on'} />/ + <input type='radio' name='DROPFORWARD' value='off' $checked{'DROPFORWARD'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'drop outgoing'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='DROPOUTGOING' value='on' $checked{'DROPOUTGOING'}{'on'} />/ + <input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'drop portscan'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/ + <input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/ + <input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/ + <input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'drop spoofed martians'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='DROPSPOOFEDMARTIAN' value='on' $checked{'DROPSPOOFEDMARTIAN'}{'on'} />/ + <input type='radio' name='DROPSPOOFEDMARTIAN' value='off' $checked{'DROPSPOOFEDMARTIAN'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> </table> <br/>
+<table width='95%' cellspacing='0'> + <tr bgcolor='$color{'color20'}'> + <td colspan='2' align='left'><b>$Lang::tr{'fw red'}</b></td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'drop hostile'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='DROPHOSTILE' value='on' $checked{'DROPHOSTILE'}{'on'} />/ + <input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> +</table> +<br> + <table width='95%' cellspacing='0'> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> <tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- langs/de/cgi-bin/de.pl | 9 +++++++-- langs/en/cgi-bin/en.pl | 7 ++++++- 2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index c81b28fea..50829fc92 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1,4 +1,4 @@ -%tr = ( +%tr = ( %tr,
'24 hours' => '24 Stunden', @@ -909,12 +909,14 @@ 'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"', 'drop action2' => 'Standardverhalten der (Input) Firewall', 'drop forward' => 'Verworfene, von der Firewall weitergeleitete Pakete protokollieren', +'drop hostile' => 'Pakete von und zu bösartigen Netzen (Spamhaus DROP-Listing, etc.) verwerfen', 'drop input' => 'Verworfene eingehende Pakete protokollieren', 'drop newnotsyn' => 'Verworfene neue Pakete ohne SYN-Markierung protokollieren (NewNotSYN)', 'drop outgoing' => 'Verworfene, von der Firewall ausgehende Pakete protokollieren', 'drop portscan' => 'Verworfene Portscan Pakete protokollieren', 'drop proxy' => 'Alle Pakete verwerfen, die nicht direkt an den Proxy gerichtet sind', 'drop samba' => 'Alle Pakete an Microsoftdienste verwerfen (Ports 135, 137, 138, 139, 445 und 1025)', +'drop spoofed martians' => 'Verworfene gefälschte Pakete und Marsianer protokollieren', 'drop wirelessforward' => 'Verworfene weitergeleitete Wireless-Pakete protokollieren', 'drop wirelessinput' => 'Verworfene eingehende Wireless-Pakete protokollieren', 'dst port' => 'Zielport', @@ -1106,7 +1108,7 @@ 'from email server' => 'Von E-Mail-Server', 'from email user' => 'Von E-Mail-Benutzer', 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', -'fw blue' => 'Firewalloptionen für das Blaue Interface', +'fw blue' => 'Firewalloptionen für das blaue Interface', 'fw default drop' => 'Firewallrichtlinie', 'fw logging' => 'Firewallprotokollierung', 'fw settings' => 'Firewalleinstellungen', @@ -1114,6 +1116,7 @@ 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', 'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen', 'fw settings ruletable' => 'Leere Regeltabellen anzeigen', +'fw red' => 'Firewalloptionen für das rote Interface', 'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)', 'fwdfw DROP' => 'Verwerfen (DROP)', 'fwdfw MODE1' => 'Alle Pakete verwerfen', @@ -1355,6 +1358,7 @@ 'host deny' => 'Liste der nicht Zugriffsberechtigten', 'host ip' => 'Host IP-Adresse', 'host to net vpn' => 'Host-zu-Netz Virtual Private Network (RoadWarrior)', +'hostile networks' => 'Bösartige Netze', 'hostname' => 'Hostname', 'hostname and domain already in use' => 'Hostname und Domain werden bereits benutzt.', 'hostname cant be empty' => 'Hostname darf nicht leer bleiben.', @@ -2268,6 +2272,7 @@ 'spectre variant 1' => 'Spectre-Variante 1', 'spectre variant 2' => 'Spectre-Variante 2', 'spectre variant 4' => 'Spectre-Variante 4', +'spoofed or martians' => 'Gefälscht/Marsianer', 'squid extension methods' => 'Ihre <tt>extension_methods</tt> Liste', 'squid extension methods invalid' => 'Ihre 'extension_methods' Liste darf nur Worte aus Großbuchstaben und Ziffer enthalten, die mittels eines Leerzeichens getrennt werden.', 'squid fix cache' => 'Zwischenspeicher reparieren', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a92bb07f8..74955d20e 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1,4 +1,4 @@ -%tr = ( +%tr = ( %tr,
'24 hours' => '24 Hours', @@ -934,12 +934,14 @@ 'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', 'drop action2' => 'Default behaviour of (input) firewall', 'drop forward' => 'Log dropped forward packets', +'drop hostile' => 'Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.)', 'drop input' => 'Log dropped input packets', 'drop newnotsyn' => 'Log dropped new not SYN packets', 'drop outgoing' => 'Log dropped outgoing packets', 'drop portscan' => 'Log dropped portscan packets', 'drop proxy' => 'Drop all packets not addressed to proxy', 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025', +'drop spoofed martians' => 'Log dropped spoofed packets and marsians', 'drop wirelessforward' => 'Log dropped wireless forward packets', 'drop wirelessinput' => 'Log dropped wireless input packets', 'dst port' => 'Dst Port', @@ -1141,6 +1143,7 @@ 'fw settings dropdown' => 'Show all networks on rulecreation site', 'fw settings remark' => 'Show remarks in ruletable', 'fw settings ruletable' => 'Show empty ruletables', +'fw red' => 'Firewall options for RED interface', 'fwdfw ACCEPT' => 'ACCEPT', 'fwdfw DROP' => 'DROP', 'fwdfw MODE1' => 'Drop all packets', @@ -1384,6 +1387,7 @@ 'host deny' => 'list with denied hosts', 'host ip' => 'Host IP address', 'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)', +'hostile networks' => 'Hostile networks', 'hostname' => 'Hostname', 'hostname and domain already in use' => 'Hostname and domain already in use.', 'hostname cant be empty' => 'Hostname cannot be empty.', @@ -2309,6 +2313,7 @@ 'spectre variant 1' => 'Spectre Variant 1', 'spectre variant 2' => 'Spectre Variant 2', 'spectre variant 4' => 'Spectre Variant 4', +'spoofed or martians' => 'Spoofed/Martians', 'squid extension methods' => 'Your <tt>extension_methods</tt> list', 'squid extension methods invalid' => 'Your 'extension_methods' list can only contain uppercase words of letters and digits, separated with a space. ', 'squid fix cache' => 'Repair cache',
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/collectd/collectd.conf | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index 941c631c9..b80e3b785 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -51,6 +51,8 @@ include "/etc/collectd.precache" Chain filter POLICYFWD DROP_FORWARD Chain filter POLICYOUT DROP_OUTPUT Chain filter POLICYIN DROP_INPUT + Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN + Chain filter HOSTILE DROP_HOSTILE </Plugin>
#<Plugin logfile>
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/cfgroot/graphs.pl | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index 02341eb45..b964f1e80 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -3,7 +3,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2005-2010 IPFire Team # +# Copyright (C) 2005-2021 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -106,7 +106,7 @@ foreach (@sensorsdir){
sub makegraphbox { my ($origin, $name, $default_range) = @_; - + # Optional time range: Default to "day" unless otherwise specified $default_range = "day" unless ($default_range ~~ @time_ranges);
@@ -154,7 +154,7 @@ sub updatecpugraph { "COMMENT:".sprintf("%15s",$Lang::tr{'minimal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\j" ); - + my $nice = "CDEF:nice="; my $interrupt = "CDEF:interrupt="; my $steal = "CDEF:steal="; @@ -164,7 +164,7 @@ sub updatecpugraph { my $iowait = "CDEF:iowait="; my $irq = "CDEF:irq="; my $addstring = ""; - + for(my $i = 0; $i < $cpucount; $i++) { push(@command,"DEF:iowait".$i."=".$mainsettings{'RRDLOG'}."/collectd/localhost/cpu-".$i."/cpu-wait.rrd:value:AVERAGE" ,"DEF:nice".$i."=".$mainsettings{'RRDLOG'}."/collectd/localhost/cpu-".$i."/cpu-nice.rrd:value:AVERAGE" @@ -184,7 +184,7 @@ sub updatecpugraph { $iowait .= "iowait".$i.","; $irq .= "irq".$i.","; } - + for(my $i = 2; $i < $cpucount; $i++) { $addstring .= "ADDNAN,"; } @@ -692,6 +692,8 @@ sub updatefwhitsgraph { "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE", "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE", "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE", + "DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE", + "DEF:hostile=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}), "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'average'}), @@ -722,6 +724,16 @@ sub updatefwhitsgraph { "GPRINT:portscan:AVERAGE:%8.1lf %sBps", "GPRINT:portscan:MIN:%8.1lf %sBps", "GPRINT:portscan:LAST:%8.1lf %sBps\j", + "STACK:spoofedmartian".$color{"color12"}."A0:".sprintf("%-25s",$Lang::tr{'spoofed or martians'}), + "GPRINT:spoofedmartian:MAX:%8.1lf %sBps", + "GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps", + "GPRINT:spoofedmartian:MIN:%8.1lf %sBps", + "GPRINT:spoofedmartian:LAST:%8.1lf %sBps\j", + "STACK:hostile".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks'}), + "GPRINT:hostile:MAX:%8.1lf %sBps", + "GPRINT:hostile:AVERAGE:%8.1lf %sBps", + "GPRINT:hostile:MIN:%8.1lf %sBps", + "GPRINT:hostile:LAST:%8.1lf %sBps\j", ); $ERROR = RRDs::error; return "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR;
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/configroot | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lfs/configroot b/lfs/configroot index e0156c746..4fa7aba79 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -114,7 +114,7 @@ $(TARGET) : echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings echo "01" > $(CONFIG_ROOT)/certs/serial echo "nameserver 1.2.3.4" > $(CONFIG_ROOT)/ppp/fake-resolv.conf - echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings @@ -130,6 +130,7 @@ $(TARGET) : echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPSPOOFEDMARTIAN=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- lfs/configroot | 1 + 1 file changed, 1 insertion(+)
diff --git a/lfs/configroot b/lfs/configroot index 4fa7aba79..56c0c7c8f 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -131,6 +131,7 @@ $(TARGET) : echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPSPOOFEDMARTIAN=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPHOSTILE=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings
Hello,
I would like to make it short since I already said how much I like this on the video call…
Please see my replies to the individual patches.
-Michael
On 18 Dec 2021, at 13:46, Peter Müller peter.mueller@ipfire.org wrote:
This patchset improves IPFire's firewall engine by...
(a) improved logging of spoofed packets and martians
(b) prevention of spoofing attempts on RED's interface IP address
(c) dropping traffic from and to networks known to pose a technical threat to IPFire users (see https://git.ipfire.org/?p=location/libloc.git;a=commit;h=69b3d894fbee6e94afc... for details) by default on new installations, doing so in a dedicated, easy to configure IPtables chain. Sadly, a decent fraction of our userbase does not bother creating any firewall rules at all, so any outbound traffic is allowed on their networks. Therefore, preventing them from reaching the "baddest of the bad" makes sense for a basic detection of their devices and networks. Any sane IPS configuration would already cover the networks in question, so most IPFire machines running a decent IPS policy will already drop the offending traffic, albeit in a rather costly way.
Please note this patchset needs additional commits for the Core Update it is intended to go to, such as shipping the changed files, and adding sane defaults to existing installations in /var/ipfire/optionsfw/settings.
See also: #12031
Peter Müller (11): firewall: Log packets dropped due to conntrack INVALID state firewall: Accept inbound Tor traffic before applying the location filter firewall: Log and drop spoofed loopback packets firewall: Prevent spoofing our own RED IP address firewall: Introduce DROP_HOSTILE optionsfw.cgi: Make logging of spoofed/martians packets and the DROP_HOSTILE filter configurable Update German and English translation files collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN} graphs.pl: Display spoofed and hostile traffic in firewall hits diagram as well configroot: Enable logging of spoofed packets/martians by default configroot: Drop traffic from and to hostile networks by default
config/cfgroot/graphs.pl | 22 ++++++-- config/collectd/collectd.conf | 2 + html/cgi-bin/optionsfw.cgi | 96 +++++++++++++++++++++++++++------ langs/de/cgi-bin/de.pl | 9 +++- langs/en/cgi-bin/en.pl | 7 ++- lfs/configroot | 4 +- src/initscripts/system/firewall | 63 +++++++++++++++++----- 7 files changed, 166 insertions(+), 37 deletions(-)
-- 2.26.2
-
Jon Murphy -
Michael Tremer -
Peter Müller