Message ID | c254098f-c9e5-f7e0-7463-5feb90a229a9@ipfire.org |
---|---|
State | Accepted |
Commit | 970e8547becf91657ffa9bc4f84eb9bbf021b145 |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HS7n63Qjmz3wbT for <patchwork@web04.haj.ipfire.org>; Sun, 10 Oct 2021 17:13:46 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HS7n44t3Cz29D; Sun, 10 Oct 2021 17:13:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HS7n42mVpz2xgV; Sun, 10 Oct 2021 17:13:44 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HS7n24ZH6z2xMX for <development@lists.ipfire.org>; Sun, 10 Oct 2021 17:13:42 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HS7n139bdz142 for <development@lists.ipfire.org>; Sun, 10 Oct 2021 17:13:41 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1633886022; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FFQlZ/9Kk8jKrCETbKgk09Z4jM33gArTx8dOzbp+e5k=; b=53ffAcNdDZVAcUC3dYGTAIJXzLiaUvipffP1DPSOlwCrY5uR9TgKHT30kR+DXPh5BDxwmw qaa9m7+QxZy4L+Dg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1633886022; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FFQlZ/9Kk8jKrCETbKgk09Z4jM33gArTx8dOzbp+e5k=; b=U+HsCQhwStWaeGAuQiwlZ2F8foTTkTVlo3dql2t5AX+ulO8NaRJYW2Kse9TDxQOTud3tfa YmTyESynSi9m0M1JH0jbjWFiyLufHCArB7DcwWMy1sg7yWOzWZNcsJyvuAFcMUbkte2PxW zwmrsUUW8WZHnljeJDNckNRJgaVttYSuEnnVhWo1CdN7iAdRZYsPTdryVplJaixtH8Pykx 4vVOA4ooxsk5hFZRgau8Ulmoe502BB1CG9wwHDzxcKcw45tLVMr6YN30A97lhVYLRi9Wzy CTKngbCjG9Yg4qkvtZxJIvMkEc73eDYucW61KUuoUtNPkeGr9XwYHMs2X777ow== To: "IPFire: Development" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH] location-functions.pl: Recognise XD / LOC_NETWORK_FLAG_DROP Message-ID: <c254098f-c9e5-f7e0-7463-5feb90a229a9@ipfire.org> Date: Sun, 10 Oct 2021 19:13:38 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
location-functions.pl: Recognise XD / LOC_NETWORK_FLAG_DROP
|
|
Commit Message
Peter Müller
Oct. 10, 2021, 5:13 p.m. UTC
This enables creating firewall rules using the special country code "XD"
for hostile networks safe to drop and ipinfo.cgi to display a meaningful
text for IP addresses having this flag set.
At the moment, the "LOC_NETWORK_FLAG_DROP" is not yet populated, but
will be in the future (as soon as libloc 0.9.9 is released and running
in production).
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
config/cfgroot/location-functions.pl | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
Comments
Thank you. Do we want to make this is a more convenient option somewhere in the UI in the future? -Michael Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> > On 10 Oct 2021, at 18:13, Peter Müller <peter.mueller@ipfire.org> wrote: > > This enables creating firewall rules using the special country code "XD" > for hostile networks safe to drop and ipinfo.cgi to display a meaningful > text for IP addresses having this flag set. > > At the moment, the "LOC_NETWORK_FLAG_DROP" is not yet populated, but > will be in the future (as soon as libloc 0.9.9 is released and running > in production). > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > config/cfgroot/location-functions.pl | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl > index fb97eb589..4d44ce24d 100644 > --- a/config/cfgroot/location-functions.pl > +++ b/config/cfgroot/location-functions.pl > @@ -2,7 +2,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # > +# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -29,6 +29,7 @@ my %not_iso_3166_location = ( > "A1" => "Anonymous Proxy", > "A2" => "Satellite Provider", > "A3" => "Worldwide Anycast Instance", > + "XD" => "Hostile networks safe to drop", > ); > > # Hash which contains possible network flags and their mapped location codes. > @@ -36,10 +37,11 @@ my %network_flags = ( > "LOC_NETWORK_FLAG_ANONYMOUS_PROXY" => "A1", > "LOC_NETWORK_FLAG_SATELLITE_PROVIDER" => "A2", > "LOC_NETWORK_FLAG_ANYCAST" => "A3", > + "LOC_NETWORK_FLAG_DROP" => "XD", > ); > > # Array which contains special country codes. > -my @special_locations = ( "A1", "A2", "A3" ); > +my @special_locations = ( "A1", "A2", "A3", "XD" ); > > # Directory where the libloc database and keyfile lives. > our $location_dir = "/var/lib/location/"; > -- > 2.26.2
Hello Michael, thanks for your reply. > Thank you. > > Do we want to make this is a more convenient option somewhere in the UI in the future? Yes. My imagination of bug #12031 is to have three new checkboxes on the firewall options CGI to drop all traffic from and to (a) IP networks not being globally routable ("martians") (b) publicly routable yet unallocated IP networks ("bogons") (c) and IP networks having the LOC_NETWORK_FLAG_DROP flag set on the RED interface. I think it is wise to split this up, since some people might need (a), but not (b) - Arne told me yesterday some mobile ISPs use public IP space internally -, and might not want to enable (c) for whatever reason. One size never fits all. (a) is something we (I) can implement straight away. As soon as this patch has been merged, (c) is no longer an issue, too. (b) is currently blocked due to bug #12691. And of course there will be a blog article about this. \o/ Thanks, and best regards, Peter Müller > > -Michael > > Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> > >> On 10 Oct 2021, at 18:13, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> This enables creating firewall rules using the special country code "XD" >> for hostile networks safe to drop and ipinfo.cgi to display a meaningful >> text for IP addresses having this flag set. >> >> At the moment, the "LOC_NETWORK_FLAG_DROP" is not yet populated, but >> will be in the future (as soon as libloc 0.9.9 is released and running >> in production). >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> config/cfgroot/location-functions.pl | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl >> index fb97eb589..4d44ce24d 100644 >> --- a/config/cfgroot/location-functions.pl >> +++ b/config/cfgroot/location-functions.pl >> @@ -2,7 +2,7 @@ >> ############################################################################### >> # # >> # IPFire.org - A linux based firewall # >> -# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >> +# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # >> # # >> # This program is free software: you can redistribute it and/or modify # >> # it under the terms of the GNU General Public License as published by # >> @@ -29,6 +29,7 @@ my %not_iso_3166_location = ( >> "A1" => "Anonymous Proxy", >> "A2" => "Satellite Provider", >> "A3" => "Worldwide Anycast Instance", >> + "XD" => "Hostile networks safe to drop", >> ); >> >> # Hash which contains possible network flags and their mapped location codes. >> @@ -36,10 +37,11 @@ my %network_flags = ( >> "LOC_NETWORK_FLAG_ANONYMOUS_PROXY" => "A1", >> "LOC_NETWORK_FLAG_SATELLITE_PROVIDER" => "A2", >> "LOC_NETWORK_FLAG_ANYCAST" => "A3", >> + "LOC_NETWORK_FLAG_DROP" => "XD", >> ); >> >> # Array which contains special country codes. >> -my @special_locations = ( "A1", "A2", "A3" ); >> +my @special_locations = ( "A1", "A2", "A3", "XD" ); >> >> # Directory where the libloc database and keyfile lives. >> our $location_dir = "/var/lib/location/"; >> -- >> 2.26.2 >
Hello, > On 13 Oct 2021, at 17:21, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > thanks for your reply. > >> Thank you. >> >> Do we want to make this is a more convenient option somewhere in the UI in the future? > > Yes. My imagination of bug #12031 is to have three new checkboxes on the firewall options CGI > to drop all traffic from and to > (a) IP networks not being globally routable ("martians") Okay. I like this, but in existing setups this will break a lot. I have no idea what to expect from this being a default on new setups. > (b) publicly routable yet unallocated IP networks ("bogons") I don’t think this would break much and I would be interested to have statistics on this since we would not expect many firewall hits. People who will have issues with this will likely have broken their location database that it won’t update any more. > (c) and IP networks having the LOC_NETWORK_FLAG_DROP flag set > on the RED interface. Mentally I am putting this into the same category as bogons (“I am never going to communicate to this network”). I believe this won’t break anything either. > I think it is wise to split this up, since some people might need (a), but not (b) - Arne > told me yesterday some mobile ISPs use public IP space internally -, and might not want > to enable (c) for whatever reason. One size never fits all. > (a) is something we (I) can implement straight away. As soon as this patch has been merged, (a) will need a lot of exceptions: * Networks that are locally connected (GREEN, BLUE, ORANGE, RED) * All VPNs (OpenVPN, IPsec, H2N and N2N) * All static routes * Maybe some SNAT/DNAT rules? These will have to be auto-generated and not bother the admins. Maybe it would be better to solve this in another way than using iptables. (b) If ISPs use unallocated address space they are on their own. I am sorry. Just stupid. But of course we can add exemptions. > (c) is no longer an issue, too. (b) is currently blocked due to bug #12691. We could generally work on this and only release it after #12691 is fixed. It is not a blocker for development. Just for release. > And of course there will be a blog article about this. \o/ Let’s get this on the list first and then think about that. -Michael > Thanks, and best regards, > Peter Müller > >> >> -Michael >> >> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> >> >>> On 10 Oct 2021, at 18:13, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> This enables creating firewall rules using the special country code "XD" >>> for hostile networks safe to drop and ipinfo.cgi to display a meaningful >>> text for IP addresses having this flag set. >>> >>> At the moment, the "LOC_NETWORK_FLAG_DROP" is not yet populated, but >>> will be in the future (as soon as libloc 0.9.9 is released and running >>> in production). >>> >>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>> --- >>> config/cfgroot/location-functions.pl | 6 ++++-- >>> 1 file changed, 4 insertions(+), 2 deletions(-) >>> >>> diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl >>> index fb97eb589..4d44ce24d 100644 >>> --- a/config/cfgroot/location-functions.pl >>> +++ b/config/cfgroot/location-functions.pl >>> @@ -2,7 +2,7 @@ >>> ############################################################################### >>> # # >>> # IPFire.org - A linux based firewall # >>> -# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >>> +# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # >>> # # >>> # This program is free software: you can redistribute it and/or modify # >>> # it under the terms of the GNU General Public License as published by # >>> @@ -29,6 +29,7 @@ my %not_iso_3166_location = ( >>> "A1" => "Anonymous Proxy", >>> "A2" => "Satellite Provider", >>> "A3" => "Worldwide Anycast Instance", >>> + "XD" => "Hostile networks safe to drop", >>> ); >>> >>> # Hash which contains possible network flags and their mapped location codes. >>> @@ -36,10 +37,11 @@ my %network_flags = ( >>> "LOC_NETWORK_FLAG_ANONYMOUS_PROXY" => "A1", >>> "LOC_NETWORK_FLAG_SATELLITE_PROVIDER" => "A2", >>> "LOC_NETWORK_FLAG_ANYCAST" => "A3", >>> + "LOC_NETWORK_FLAG_DROP" => "XD", >>> ); >>> >>> # Array which contains special country codes. >>> -my @special_locations = ( "A1", "A2", "A3" ); >>> +my @special_locations = ( "A1", "A2", "A3", "XD" ); >>> >>> # Directory where the libloc database and keyfile lives. >>> our $location_dir = "/var/lib/location/"; >>> -- >>> 2.26.2 >>
> On Oct 14, 2021, at 2:28 PM, Michael Tremer <michael.tremer@ipfire.org> wrote: > > Hello, > >> On 13 Oct 2021, at 17:21, Peter Müller <peter.mueller@ipfire.org> wrote: >> [ snip] >> Yes. My imagination of bug #12031 is to have three new checkboxes on the firewall options CGI >> to drop all traffic from and to >> (a) IP networks not being globally routable ("martians") [snip] >> (a) is something we (I) can implement straight away. As soon as this patch has been merged, > > > (a) will need a lot of exceptions: > > * Networks that are locally connected (GREEN, BLUE, ORANGE, RED) > * All VPNs (OpenVPN, IPsec, H2N and N2N) > * All static routes > * Maybe some SNAT/DNAT rules? > > These will have to be auto-generated and not bother the admins. > > Maybe it would be better to solve this in another way than using iptables. [snip] Is “carrier-grade NAT” no longer a thing? Also, users behind a NAT router/modem/whatever will run into issues, though that’s maybe handled by excluding Locally connected networks as mentioned above? Tom
Hello, > On 14 Oct 2021, at 20:08, Tom Rymes <tom@rymes.net> wrote: > > > >> On Oct 14, 2021, at 2:28 PM, Michael Tremer <michael.tremer@ipfire.org> wrote: >> >> Hello, >> >>> On 13 Oct 2021, at 17:21, Peter Müller <peter.mueller@ipfire.org> wrote: >>> > [ snip] > >>> Yes. My imagination of bug #12031 is to have three new checkboxes on the firewall options CGI >>> to drop all traffic from and to >>> (a) IP networks not being globally routable ("martians") > > [snip] > >>> (a) is something we (I) can implement straight away. As soon as this patch has been merged, >> >> >> (a) will need a lot of exceptions: >> >> * Networks that are locally connected (GREEN, BLUE, ORANGE, RED) >> * All VPNs (OpenVPN, IPsec, H2N and N2N) >> * All static routes >> * Maybe some SNAT/DNAT rules? >> >> These will have to be auto-generated and not bother the admins. >> >> Maybe it would be better to solve this in another way than using iptables. > > [snip] > > Is “carrier-grade NAT” no longer a thing? It is, but there is address space that is allocated for that. Bogons would be address space that isn’t allocated to anyone - of which there probably isn’t much. > Also, users behind a NAT router/modem/whatever will run into issues, though that’s maybe handled by excluding Locally connected networks as mentioned above? Yes, that is an absolute necessity. > > Tom > >
Hello Michael, > Hello, > >> On 13 Oct 2021, at 17:21, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Hello Michael, >> >> thanks for your reply. >> >>> Thank you. >>> >>> Do we want to make this is a more convenient option somewhere in the UI in the future? >> >> Yes. My imagination of bug #12031 is to have three new checkboxes on the firewall options CGI >> to drop all traffic from and to >> (a) IP networks not being globally routable ("martians") > > Okay. I like this, but in existing setups this will break a lot. It depends. Perhaps it might be a good idea to split this feature up: Martians belonging to networks used by IPFire (GREEN, BLUE, ORANGE, etc.), yet arriving on different interfaces, are spoofing attempts. Dropping these should cause relatively little harm, unless users run completely crappy setups. Martians on RED are different, and I would hesitate from enabling this by default on new installations, since it causes trouble if IPFire is used for internal segmentation (which I guess we have a lot of installations in companies) or behind existing routers, or ISPs doing things like DS-lite. What do you think of this proposal? > I have no idea what to expect from this being a default on new setups. > >> (b) publicly routable yet unallocated IP networks ("bogons") > > I don’t think this would break much and I would be interested to have statistics on this since we would not expect many firewall hits. Since the location database is updated weekly by default, very new BGP announcements will probably cause hits here. On the other hand, network operators usually do not set up their AS and expect to gain a lot of traffic an hour after. > People who will have issues with this will likely have broken their location database that it won’t update any more. > >> (c) and IP networks having the LOC_NETWORK_FLAG_DROP flag set >> on the RED interface. > > Mentally I am putting this into the same category as bogons (“I am never going to communicate to this network”). I can relate to that, but still would make a difference here, in case people do not want their internet access to be filtered by an opinionated source. So, a dedicated switch for this makes sense to me. > I believe this won’t break anything either. Me neither. > >> I think it is wise to split this up, since some people might need (a), but not (b) - Arne >> told me yesterday some mobile ISPs use public IP space internally -, and might not want >> to enable (c) for whatever reason. One size never fits all. > >> (a) is something we (I) can implement straight away. As soon as this patch has been merged, > > > (a) will need a lot of exceptions: > > * Networks that are locally connected (GREEN, BLUE, ORANGE, RED) But only on their respective interface, right? GREEN traffic should not appear on BLUE. > * All VPNs (OpenVPN, IPsec, H2N and N2N) > * All static routes > * Maybe some SNAT/DNAT rules? > > These will have to be auto-generated and not bother the admins. ACK. > Maybe it would be better to solve this in another way than using iptables. You are thinking about routing here, aren't you? I like it, but we would have no logging possibility then, which makes troubleshooting tedious. > (b) If ISPs use unallocated address space they are on their own. I am sorry. Just stupid. But of course we can add exemptions. > >> (c) is no longer an issue, too. (b) is currently blocked due to bug #12691. > > We could generally work on this and only release it after #12691 is fixed. It is not a blocker for development. Just for release. ACK. Thanks, and best regards, Peter Müller > >> And of course there will be a blog article about this. \o/ > > Let’s get this on the list first and then think about that. > > -Michael > >> Thanks, and best regards, >> Peter Müller >> >>> >>> -Michael >>> >>> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> >>> >>>> On 10 Oct 2021, at 18:13, Peter Müller <peter.mueller@ipfire.org> wrote: >>>> >>>> This enables creating firewall rules using the special country code "XD" >>>> for hostile networks safe to drop and ipinfo.cgi to display a meaningful >>>> text for IP addresses having this flag set. >>>> >>>> At the moment, the "LOC_NETWORK_FLAG_DROP" is not yet populated, but >>>> will be in the future (as soon as libloc 0.9.9 is released and running >>>> in production). >>>> >>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>> --- >>>> config/cfgroot/location-functions.pl | 6 ++++-- >>>> 1 file changed, 4 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl >>>> index fb97eb589..4d44ce24d 100644 >>>> --- a/config/cfgroot/location-functions.pl >>>> +++ b/config/cfgroot/location-functions.pl >>>> @@ -2,7 +2,7 @@ >>>> ############################################################################### >>>> # # >>>> # IPFire.org - A linux based firewall # >>>> -# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >>>> +# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # >>>> # # >>>> # This program is free software: you can redistribute it and/or modify # >>>> # it under the terms of the GNU General Public License as published by # >>>> @@ -29,6 +29,7 @@ my %not_iso_3166_location = ( >>>> "A1" => "Anonymous Proxy", >>>> "A2" => "Satellite Provider", >>>> "A3" => "Worldwide Anycast Instance", >>>> + "XD" => "Hostile networks safe to drop", >>>> ); >>>> >>>> # Hash which contains possible network flags and their mapped location codes. >>>> @@ -36,10 +37,11 @@ my %network_flags = ( >>>> "LOC_NETWORK_FLAG_ANONYMOUS_PROXY" => "A1", >>>> "LOC_NETWORK_FLAG_SATELLITE_PROVIDER" => "A2", >>>> "LOC_NETWORK_FLAG_ANYCAST" => "A3", >>>> + "LOC_NETWORK_FLAG_DROP" => "XD", >>>> ); >>>> >>>> # Array which contains special country codes. >>>> -my @special_locations = ( "A1", "A2", "A3" ); >>>> +my @special_locations = ( "A1", "A2", "A3", "XD" ); >>>> >>>> # Directory where the libloc database and keyfile lives. >>>> our $location_dir = "/var/lib/location/"; >>>> -- >>>> 2.26.2 >>> >
Hello, > On 15 Oct 2021, at 10:16, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > >> Hello, >> >>> On 13 Oct 2021, at 17:21, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> Hello Michael, >>> >>> thanks for your reply. >>> >>>> Thank you. >>>> >>>> Do we want to make this is a more convenient option somewhere in the UI in the future? >>> >>> Yes. My imagination of bug #12031 is to have three new checkboxes on the firewall options CGI >>> to drop all traffic from and to >>> (a) IP networks not being globally routable ("martians") >> >> Okay. I like this, but in existing setups this will break a lot. > > It depends. Perhaps it might be a good idea to split this feature up: > > Martians belonging to networks used by IPFire (GREEN, BLUE, ORANGE, etc.), yet arriving > on different interfaces, are spoofing attempts. Dropping these should cause relatively little > harm, unless users run completely crappy setups. Static routes? The firewall also responds with ARP replies for all its IP addresses on all interfaces. This might not be as easily enforceable as you want it unless you change fundamental behaviour of the system which might break things. > Martians on RED are different, and I would hesitate from enabling this by default on new > installations, since it causes trouble if IPFire is used for internal segmentation (which > I guess we have a lot of installations in companies) or behind existing routers, or ISPs > doing things like DS-lite. > > What do you think of this proposal? What is the point of this feature then if it isn’t enabled on the interface where it makes the most sense? Just because this is going to be difficult doesn’t mean we should lose our goal. > >> I have no idea what to expect from this being a default on new setups. >> >>> (b) publicly routable yet unallocated IP networks ("bogons") >> >> I don’t think this would break much and I would be interested to have statistics on this since we would not expect many firewall hits. > > Since the location database is updated weekly by default, very new BGP announcements will > probably cause hits here. On the other hand, network operators usually do not set up their > AS and expect to gain a lot of traffic an hour after. No, it is a well-known practise to announce prefixes for a while before sending any production traffic. >> People who will have issues with this will likely have broken their location database that it won’t update any more. >> >>> (c) and IP networks having the LOC_NETWORK_FLAG_DROP flag set >>> on the RED interface. >> >> Mentally I am putting this into the same category as bogons (“I am never going to communicate to this network”). > > I can relate to that, but still would make a difference here, in case people do not want > their internet access to be filtered by an opinionated source. So, a dedicated switch for > this makes sense to me. > >> I believe this won’t break anything either. > > Me neither. > >> >>> I think it is wise to split this up, since some people might need (a), but not (b) - Arne >>> told me yesterday some mobile ISPs use public IP space internally -, and might not want >>> to enable (c) for whatever reason. One size never fits all. >> >>> (a) is something we (I) can implement straight away. As soon as this patch has been merged, >> >> >> (a) will need a lot of exceptions: >> >> * Networks that are locally connected (GREEN, BLUE, ORANGE, RED) > > But only on their respective interface, right? GREEN traffic should not appear on BLUE. Correct. >> * All VPNs (OpenVPN, IPsec, H2N and N2N) >> * All static routes >> * Maybe some SNAT/DNAT rules? >> >> These will have to be auto-generated and not bother the admins. > > ACK. > >> Maybe it would be better to solve this in another way than using iptables. > > You are thinking about routing here, aren't you? I like it, but we would have no logging > possibility then, which makes troubleshooting tedious. tcpdump will be your friend. >> (b) If ISPs use unallocated address space they are on their own. I am sorry. Just stupid. But of course we can add exemptions. >> >>> (c) is no longer an issue, too. (b) is currently blocked due to bug #12691. >> >> We could generally work on this and only release it after #12691 is fixed. It is not a blocker for development. Just for release. > > ACK. > > Thanks, and best regards, > Peter Müller > >> >>> And of course there will be a blog article about this. \o/ >> >> Let’s get this on the list first and then think about that. >> >> -Michael >> >>> Thanks, and best regards, >>> Peter Müller >>> >>>> >>>> -Michael >>>> >>>> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> >>>> >>>>> On 10 Oct 2021, at 18:13, Peter Müller <peter.mueller@ipfire.org> wrote: >>>>> >>>>> This enables creating firewall rules using the special country code "XD" >>>>> for hostile networks safe to drop and ipinfo.cgi to display a meaningful >>>>> text for IP addresses having this flag set. >>>>> >>>>> At the moment, the "LOC_NETWORK_FLAG_DROP" is not yet populated, but >>>>> will be in the future (as soon as libloc 0.9.9 is released and running >>>>> in production). >>>>> >>>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>>>> --- >>>>> config/cfgroot/location-functions.pl | 6 ++++-- >>>>> 1 file changed, 4 insertions(+), 2 deletions(-) >>>>> >>>>> diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl >>>>> index fb97eb589..4d44ce24d 100644 >>>>> --- a/config/cfgroot/location-functions.pl >>>>> +++ b/config/cfgroot/location-functions.pl >>>>> @@ -2,7 +2,7 @@ >>>>> ############################################################################### >>>>> # # >>>>> # IPFire.org - A linux based firewall # >>>>> -# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # >>>>> +# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # >>>>> # # >>>>> # This program is free software: you can redistribute it and/or modify # >>>>> # it under the terms of the GNU General Public License as published by # >>>>> @@ -29,6 +29,7 @@ my %not_iso_3166_location = ( >>>>> "A1" => "Anonymous Proxy", >>>>> "A2" => "Satellite Provider", >>>>> "A3" => "Worldwide Anycast Instance", >>>>> + "XD" => "Hostile networks safe to drop", >>>>> ); >>>>> >>>>> # Hash which contains possible network flags and their mapped location codes. >>>>> @@ -36,10 +37,11 @@ my %network_flags = ( >>>>> "LOC_NETWORK_FLAG_ANONYMOUS_PROXY" => "A1", >>>>> "LOC_NETWORK_FLAG_SATELLITE_PROVIDER" => "A2", >>>>> "LOC_NETWORK_FLAG_ANYCAST" => "A3", >>>>> + "LOC_NETWORK_FLAG_DROP" => "XD", >>>>> ); >>>>> >>>>> # Array which contains special country codes. >>>>> -my @special_locations = ( "A1", "A2", "A3" ); >>>>> +my @special_locations = ( "A1", "A2", "A3", "XD" ); >>>>> >>>>> # Directory where the libloc database and keyfile lives. >>>>> our $location_dir = "/var/lib/location/"; >>>>> -- >>>>> 2.26.2
diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl index fb97eb589..4d44ce24d 100644 --- a/config/cfgroot/location-functions.pl +++ b/config/cfgroot/location-functions.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> # +# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -29,6 +29,7 @@ my %not_iso_3166_location = ( "A1" => "Anonymous Proxy", "A2" => "Satellite Provider", "A3" => "Worldwide Anycast Instance", + "XD" => "Hostile networks safe to drop", ); # Hash which contains possible network flags and their mapped location codes. @@ -36,10 +37,11 @@ my %network_flags = ( "LOC_NETWORK_FLAG_ANONYMOUS_PROXY" => "A1", "LOC_NETWORK_FLAG_SATELLITE_PROVIDER" => "A2", "LOC_NETWORK_FLAG_ANYCAST" => "A3", + "LOC_NETWORK_FLAG_DROP" => "XD", ); # Array which contains special country codes. -my @special_locations = ( "A1", "A2", "A3" ); +my @special_locations = ( "A1", "A2", "A3", "XD" ); # Directory where the libloc database and keyfile lives. our $location_dir = "/var/lib/location/";