Message ID | c2562a9e-0b55-67f8-b48f-62df97fa7196@ipfire.org |
---|---|
State | Accepted |
Commit | 97154d057bdbc7fa34309e9a5ad389775eff210d |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRyp06Dzz3wtM for <patchwork@web04.haj.ipfire.org>; Sat, 18 Dec 2021 13:48:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRyn4kncz4Jy; Sat, 18 Dec 2021 13:48:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRyn4K6bz2xqw; Sat, 18 Dec 2021 13:48:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRym23wgz2xXd for <development@lists.ipfire.org>; Sat, 18 Dec 2021 13:48:48 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRyl2mQGz3fh for <development@lists.ipfire.org>; Sat, 18 Dec 2021 13:48:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835327; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vgKO3nAihQtN1JQldKGZxRrUKD3IO6rywcfwxQyPe6A=; b=uA2KY1mHARltxWYtt6P85Hi0a1f/lDd19deCDDYOb43aAcSwU5MCu3Pf+9eSqo/s69PMV7 dMe7J+imZo02piBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835327; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vgKO3nAihQtN1JQldKGZxRrUKD3IO6rywcfwxQyPe6A=; b=KQ0UDvl2MnBamAKC0KXu3sCaIwaqU7S+IVG0KaXLHla4cZjz1EiAb2LLc6gxEhbAXwouvk L3L7h7jv9qnxfDJnctqVW48D+vR1X8TeAFci5iVDqr3hltroQ8crq5XHlYQ1YS+bI9ehf6 r0GzbM0K6nGbtikDHUqdMmDseUGlNCFwtNKIIYqJgVq4NfTFurv5MmA/6CEhLn2BUqXC/d c/+1+dS+GMsOqVul9ne/HNDsqT2PujRce1HZJyMllo9RwNdMcE7V8eK/RTOhXqPRTT7rSa W7OwuVlW9vhk/zR3m/4AcSFOfdV9GecU93PFI/ZvSs36KnLpuSuHymZvfRp1lQ== Subject: [PATCH 05/11] firewall: Introduce DROP_HOSTILE To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Message-ID: <c2562a9e-0b55-67f8-b48f-62df97fa7196@ipfire.org> Date: Sat, 18 Dec 2021 14:48:46 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection
|
|
Commit Message
Peter Müller
Dec. 18, 2021, 1:48 p.m. UTC
Similar to the Location block, this chain logs and drops all traffic
from and to networks known to pose technical threats to IPFire users.
Doing so in a dedicated chain makes sense for transparency reasons, as
we won't interfer with other firewall rules or the Location block, so it
is always clear why a packet from or to such a network has been dropped.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
src/initscripts/system/firewall | 14 ++++++++++++++
1 file changed, 14 insertions(+)
Comments
Hello, I told you that you will need to export the lists before you can load them, but that seems to have been incorrect. Whenever we download the database, we extract everything: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-location-database;h=06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=HEAD So this should always work. -Michael > On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote: > > Similar to the Location block, this chain logs and drops all traffic > from and to networks known to pose technical threats to IPFire users. > > Doing so in a dedicated chain makes sense for transparency reasons, as > we won't interfer with other firewall rules or the Location block, so it > is always clear why a packet from or to such a network has been dropped. > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > src/initscripts/system/firewall | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall > index 9e62c0245..ebc8168ae 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -139,6 +139,20 @@ iptables_init() { > iptables -t nat -N CUSTOMPOSTROUTING > iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING > > + # Log and drop any traffic from and to networks known as being hostile, posing > + # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) > + if [ "$DROPHOSTILE" == "on" ]; then > + iptables -N DROP_HOSTILE > + iptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " > + > + iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE > + iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE > + iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE > + iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE > + > + iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE" > + fi > + > # P2PBLOCK > iptables -N P2PBLOCK > iptables -A INPUT -j P2PBLOCK > -- > 2.26.2
Hello Michael, thanks for your reply. This is good to know as I was surprised to see this working on my testing machine without any further exports/converting/${whatever} of the location database. :-) Thanks, and best regards, Peter Müller > Hello, > > I told you that you will need to export the lists before you can load them, but that seems to have been incorrect. > > Whenever we download the database, we extract everything: > > https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-location-database;h=06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=HEAD > > So this should always work. > > -Michael > >> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Similar to the Location block, this chain logs and drops all traffic >> from and to networks known to pose technical threats to IPFire users. >> >> Doing so in a dedicated chain makes sense for transparency reasons, as >> we won't interfer with other firewall rules or the Location block, so it >> is always clear why a packet from or to such a network has been dropped. >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> src/initscripts/system/firewall | 14 ++++++++++++++ >> 1 file changed, 14 insertions(+) >> >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >> index 9e62c0245..ebc8168ae 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -139,6 +139,20 @@ iptables_init() { >> iptables -t nat -N CUSTOMPOSTROUTING >> iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING >> >> + # Log and drop any traffic from and to networks known as being hostile, posing >> + # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) >> + if [ "$DROPHOSTILE" == "on" ]; then >> + iptables -N DROP_HOSTILE >> + iptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " >> + >> + iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE >> + iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE >> + iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE >> + iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE >> + >> + iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE" >> + fi >> + >> # P2PBLOCK >> iptables -N P2PBLOCK >> iptables -A INPUT -j P2PBLOCK >> -- >> 2.26.2 >
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 9e62c0245..ebc8168ae 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -139,6 +139,20 @@ iptables_init() { iptables -t nat -N CUSTOMPOSTROUTING iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING + # Log and drop any traffic from and to networks known as being hostile, posing + # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) + if [ "$DROPHOSTILE" == "on" ]; then + iptables -N DROP_HOSTILE + iptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + + iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE + iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + + iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE" + fi + # P2PBLOCK iptables -N P2PBLOCK iptables -A INPUT -j P2PBLOCK