| Message ID | 20220214163227.10958-1-arne_f@ipfire.org |
|---|---|
| State | Accepted |
| Commit | 2b44044bcf6d4aebcccc223390cf553c68d62eab |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Jy8sB2vqrz3wsl for <patchwork@web04.haj.ipfire.org>; Mon, 14 Feb 2022 16:32:46 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Jy8s90n88z3gG; Mon, 14 Feb 2022 16:32:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Jy8s86TGKz2yZt; Mon, 14 Feb 2022 16:32:44 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Jy8s73ZTYz2xKb for <development@lists.ipfire.org>; Mon, 14 Feb 2022 16:32:43 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Jy8s64bG3zf8; Mon, 14 Feb 2022 16:32:42 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1644856362; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=S9rSznr9kuEmzXNu1OV0vk9kW3EYlDidhCMI9eFBvQA=; b=HUt4SdPsK1OfUmwPcLI3F4A0eWfGS3j9RqkVCaL5MQpHT7zvXLG3iXq3963PuuCBHlNhBR Tpx+EeE8ouah5vCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1644856362; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=S9rSznr9kuEmzXNu1OV0vk9kW3EYlDidhCMI9eFBvQA=; b=cF6UzHr7JcKEzd4k9t0cU45Q2ODnmdocOydgsXVd+fkavLtjcyTixblbcGOvnIc+owTVoG I2rMVq4+MhWlQlfB/5PhBTUe+kLihpDyB/q7FaP5LldqvXQUQJVswQRxdd/7afDrdd4xPo h9F47seJMYVMk0dEsIjV9ts7xLly16V4dLhtOB4Cz060kcjVJ4pFIjK2tSCl1aSzOoxB2L TJVzVcqSR+BVcjCe3+wFNwj4Wpw3LXCoxTtcmzI3JSCzOsi8kT+T/gCezT5i2nk5k4okCJ vpbZYGHIXSKWuA54d6YvTaecNXN+AVYn3gOea6F7hnlUVTqxhYf2S4Wnn0DiIw== From: Arne Fitzenreiter <arne_f@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] firewall: Revert strict martian check on loopback interface Date: Mon, 14 Feb 2022 17:32:27 +0100 Message-Id: <20220214163227.10958-1-arne_f@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Cc: Arne Fitzenreiter <arne_f@ipfire.org> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
| Series |
firewall: Revert strict martian check on loopback interface
|
|
Commit Message
Arne Fitzenreiter
Feb. 14, 2022, 4:32 p.m. UTC
If the firewall is talking to itself using one of its private IP
addresses (e.g. the primary green interface IP address), it will use the
loopback interface.
This is due to the local routing table which will be looked up first:
[root@ipfire ~]# ip rule
0: from all lookup local
128: from all lookup 220
220: from all lookup 220
32765: from all lookup static
32766: from all lookup main
32767: from all lookup default
It contains:
[root@ipfire ~]# ip route show table local
local 8x.1x.1x.1x dev ppp0 proto kernel scope host src 8x.1x.1x.1x
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.x.1 dev green0 proto kernel scope host src 192.168.x.1
broadcast 192.168.x.255 dev green0 proto kernel scope link src 192.168.x.1
Any lookup for the green IP address will show this:
local 192.168.x.1 dev lo table local src 192.168.x.1 uid 0
cache <local>
A test ping shows this in tcpdump:
[root@ipfire ~]# tcpdump -i any icmp -nn
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
17:24:22.864293 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 10420, seq 1, length 64
17:24:22.864422 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 10420, seq 1, length 64
17:24:29.162021 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo request, id 1555, seq 1, length 64
17:24:29.162201 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo reply, id 1555, seq 1, length 64
For this reason, we will have to accept any source and destination IP
address on the loopback interface, which is what this patch does.
We can however, continue to check whether we received any packets with
the loopback address on any other interface.
This regression was introduced in commit a36cd34e.
Fixes: #12776 - New spoofed or martian filter block
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
src/initscripts/system/firewall | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
Comments
Hello Arne, hello Michael, hello *, thank you for spotting this. While I cannot explain to myself why I did not realise this during my tests, I agree it makes sense to revert that part of the spoofed/martian firewall changes. Apologies for the trouble caused. Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Thanks, and best regards, Peter Müller > If the firewall is talking to itself using one of its private IP > addresses (e.g. the primary green interface IP address), it will use the > loopback interface. > > This is due to the local routing table which will be looked up first: > > [root@ipfire ~]# ip rule > 0: from all lookup local > 128: from all lookup 220 > 220: from all lookup 220 > 32765: from all lookup static > 32766: from all lookup main > 32767: from all lookup default > > It contains: > > [root@ipfire ~]# ip route show table local > local 8x.1x.1x.1x dev ppp0 proto kernel scope host src 8x.1x.1x.1x > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 > broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 > local 192.168.x.1 dev green0 proto kernel scope host src 192.168.x.1 > broadcast 192.168.x.255 dev green0 proto kernel scope link src 192.168.x.1 > > Any lookup for the green IP address will show this: > > local 192.168.x.1 dev lo table local src 192.168.x.1 uid 0 > cache <local> > > A test ping shows this in tcpdump: > > [root@ipfire ~]# tcpdump -i any icmp -nn > tcpdump: data link type LINUX_SLL2 > tcpdump: verbose output suppressed, use -v[v]... for full protocol decode > listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes > 17:24:22.864293 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 10420, seq 1, length 64 > 17:24:22.864422 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 10420, seq 1, length 64 > 17:24:29.162021 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo request, id 1555, seq 1, length 64 > 17:24:29.162201 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo reply, id 1555, seq 1, length 64 > > For this reason, we will have to accept any source and destination IP > address on the loopback interface, which is what this patch does. > > We can however, continue to check whether we received any packets with > the loopback address on any other interface. > > This regression was introduced in commit a36cd34e. > > Fixes: #12776 - New spoofed or martian filter block > Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> > Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> > --- > src/initscripts/system/firewall | 10 +++------- > 1 file changed, 3 insertions(+), 7 deletions(-) > > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > index 48653ff57..fc355cd5d 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -200,14 +200,10 @@ iptables_init() { > iptables -A INPUT -j ICMPINPUT > iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT > > - # Accept everything on loopback if source/destination is loopback space... > + # Accept everything on loopback > iptables -N LOOPBACK > - iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT > - iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT > - > - # ... and drop everything else on the loopback interface, since no other traffic should appear there > - iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN > - iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN > + iptables -A LOOPBACK -i lo -j ACCEPT > + iptables -A LOOPBACK -o lo -j ACCEPT > > # Filter all packets with loopback addresses on non-loopback interfaces (spoofed) > iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
Hello, I didn’t foresee this either. It is one of those reasons why networking is hard, because there are so many shortcuts to keep things simple and fast. > On 14 Feb 2022, at 19:14, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Arne, > hello Michael, > hello *, > > thank you for spotting this. While I cannot explain to myself why I did not realise > this during my tests, I agree it makes sense to revert that part of the spoofed/martian > firewall changes. > > Apologies for the trouble caused. No trouble caused. -Michael > > Reviewed-by: Peter Müller <peter.mueller@ipfire.org> > > Thanks, and best regards, > Peter Müller > > >> If the firewall is talking to itself using one of its private IP >> addresses (e.g. the primary green interface IP address), it will use the >> loopback interface. >> >> This is due to the local routing table which will be looked up first: >> >> [root@ipfire ~]# ip rule >> 0: from all lookup local >> 128: from all lookup 220 >> 220: from all lookup 220 >> 32765: from all lookup static >> 32766: from all lookup main >> 32767: from all lookup default >> >> It contains: >> >> [root@ipfire ~]# ip route show table local >> local 8x.1x.1x.1x dev ppp0 proto kernel scope host src 8x.1x.1x.1x >> local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 >> local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 >> broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 >> local 192.168.x.1 dev green0 proto kernel scope host src 192.168.x.1 >> broadcast 192.168.x.255 dev green0 proto kernel scope link src 192.168.x.1 >> >> Any lookup for the green IP address will show this: >> >> local 192.168.x.1 dev lo table local src 192.168.x.1 uid 0 >> cache <local> >> >> A test ping shows this in tcpdump: >> >> [root@ipfire ~]# tcpdump -i any icmp -nn >> tcpdump: data link type LINUX_SLL2 >> tcpdump: verbose output suppressed, use -v[v]... for full protocol decode >> listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes >> 17:24:22.864293 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 10420, seq 1, length 64 >> 17:24:22.864422 lo In IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 10420, seq 1, length 64 >> 17:24:29.162021 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo request, id 1555, seq 1, length 64 >> 17:24:29.162201 lo In IP 192.168.x.1 > 192.168.x.1: ICMP echo reply, id 1555, seq 1, length 64 >> >> For this reason, we will have to accept any source and destination IP >> address on the loopback interface, which is what this patch does. >> >> We can however, continue to check whether we received any packets with >> the loopback address on any other interface. >> >> This regression was introduced in commit a36cd34e. >> >> Fixes: #12776 - New spoofed or martian filter block >> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> >> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >> --- >> src/initscripts/system/firewall | 10 +++------- >> 1 file changed, 3 insertions(+), 7 deletions(-) >> >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >> index 48653ff57..fc355cd5d 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -200,14 +200,10 @@ iptables_init() { >> iptables -A INPUT -j ICMPINPUT >> iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT >> >> - # Accept everything on loopback if source/destination is loopback space... >> + # Accept everything on loopback >> iptables -N LOOPBACK >> - iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT >> - iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT >> - >> - # ... and drop everything else on the loopback interface, since no other traffic should appear there >> - iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN >> - iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN >> + iptables -A LOOPBACK -i lo -j ACCEPT >> + iptables -A LOOPBACK -o lo -j ACCEPT >> >> # Filter all packets with loopback addresses on non-loopback interfaces (spoofed) >> iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 48653ff57..fc355cd5d 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -200,14 +200,10 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT - # Accept everything on loopback if source/destination is loopback space... + # Accept everything on loopback iptables -N LOOPBACK - iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT - iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT - - # ... and drop everything else on the loopback interface, since no other traffic should appear there - iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN - iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN + iptables -A LOOPBACK -i lo -j ACCEPT + iptables -A LOOPBACK -o lo -j ACCEPT # Filter all packets with loopback addresses on non-loopback interfaces (spoofed) iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN