mbox series

[00/11] firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection

Message ID 34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org
Headers
Series firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection |

Message

Peter Müller Dec. 18, 2021, 1:46 p.m. UTC 
  This patchset improves IPFire's firewall engine by...

(a) improved logging of spoofed packets and martians

(b) prevention of spoofing attempts on RED's interface IP address

(c) dropping traffic from and to networks known to pose a technical threat to
    IPFire users (see https://git.ipfire.org/?p=location/libloc.git;a=commit;h=69b3d894fbee6e94afc2a79593f7f6b300b88c10
    for details) by default on new installations, doing so in a dedicated, easy
    to configure IPtables chain.
    Sadly, a decent fraction of our userbase does not bother creating any firewall
    rules at all, so any outbound traffic is allowed on their networks. Therefore,
    preventing them from reaching the "baddest of the bad" makes sense for a basic
    detection of their devices and networks.
    Any sane IPS configuration would already cover the networks in question, so
    most IPFire machines running a decent IPS policy will already drop the offending
    traffic, albeit in a rather costly way.

Please note this patchset needs additional commits for the Core Update it is
intended to go to, such as shipping the changed files, and adding sane defaults
to existing installations in /var/ipfire/optionsfw/settings.

See also: #12031

Peter Müller (11):
  firewall: Log packets dropped due to conntrack INVALID state
  firewall: Accept inbound Tor traffic before applying the location
    filter
  firewall: Log and drop spoofed loopback packets
  firewall: Prevent spoofing our own RED IP address
  firewall: Introduce DROP_HOSTILE
  optionsfw.cgi: Make logging of spoofed/martians packets and the
    DROP_HOSTILE filter configurable
  Update German and English translation files
  collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN}
  graphs.pl: Display spoofed and hostile traffic in firewall hits
    diagram as well
  configroot: Enable logging of spoofed packets/martians by default
  configroot: Drop traffic from and to hostile networks by default

 config/cfgroot/graphs.pl        | 22 ++++++--
 config/collectd/collectd.conf   |  2 +
 html/cgi-bin/optionsfw.cgi      | 96 +++++++++++++++++++++++++++------
 langs/de/cgi-bin/de.pl          |  9 +++-
 langs/en/cgi-bin/en.pl          |  7 ++-
 lfs/configroot                  |  4 +-
 src/initscripts/system/firewall | 63 +++++++++++++++++-----
 7 files changed, 166 insertions(+), 37 deletions(-)

Comments

Michael Tremer Jan. 7, 2022, 4:57 p.m. UTC | #1 
Hello,

I would like to make it short since I already said how much I like this on the video call…

Please see my replies to the individual patches.

-Michael

> On 18 Dec 2021, at 13:46, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> This patchset improves IPFire's firewall engine by...
> 
> (a) improved logging of spoofed packets and martians
> 
> (b) prevention of spoofing attempts on RED's interface IP address
> 
> (c) dropping traffic from and to networks known to pose a technical threat to
>    IPFire users (see https://git.ipfire.org/?p=location/libloc.git;a=commit;h=69b3d894fbee6e94afc2a79593f7f6b300b88c10
>    for details) by default on new installations, doing so in a dedicated, easy
>    to configure IPtables chain.
>    Sadly, a decent fraction of our userbase does not bother creating any firewall
>    rules at all, so any outbound traffic is allowed on their networks. Therefore,
>    preventing them from reaching the "baddest of the bad" makes sense for a basic
>    detection of their devices and networks.
>    Any sane IPS configuration would already cover the networks in question, so
>    most IPFire machines running a decent IPS policy will already drop the offending
>    traffic, albeit in a rather costly way.
> 
> Please note this patchset needs additional commits for the Core Update it is
> intended to go to, such as shipping the changed files, and adding sane defaults
> to existing installations in /var/ipfire/optionsfw/settings.
> 
> See also: #12031
> 
> Peter Müller (11):
>  firewall: Log packets dropped due to conntrack INVALID state
>  firewall: Accept inbound Tor traffic before applying the location
>    filter
>  firewall: Log and drop spoofed loopback packets
>  firewall: Prevent spoofing our own RED IP address
>  firewall: Introduce DROP_HOSTILE
>  optionsfw.cgi: Make logging of spoofed/martians packets and the
>    DROP_HOSTILE filter configurable
>  Update German and English translation files
>  collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN}
>  graphs.pl: Display spoofed and hostile traffic in firewall hits
>    diagram as well
>  configroot: Enable logging of spoofed packets/martians by default
>  configroot: Drop traffic from and to hostile networks by default
> 
> config/cfgroot/graphs.pl        | 22 ++++++--
> config/collectd/collectd.conf   |  2 +
> html/cgi-bin/optionsfw.cgi      | 96 +++++++++++++++++++++++++++------
> langs/de/cgi-bin/de.pl          |  9 +++-
> langs/en/cgi-bin/en.pl          |  7 ++-
> lfs/configroot                  |  4 +-
> src/initscripts/system/firewall | 63 +++++++++++++++++-----
> 7 files changed, 166 insertions(+), 37 deletions(-)
> 
> -- 
> 2.26.2