From patchwork Sat Dec 18 13:46:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 7 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRww276Nz3wtM for ; Sat, 18 Dec 2021 13:47:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRwt13bKz1F4; Sat, 18 Dec 2021 13:47:10 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRws57MTz2yWZ; Sat, 18 Dec 2021 13:47:09 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRwr59ntz2xW7 for ; Sat, 18 Dec 2021 13:47:08 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRwq2X9fz192 for ; Sat, 18 Dec 2021 13:47:07 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pfo4EPblmTAM8xMdHac6jbMOam7iRnCApJbPXJ8T3zs=; b=aqzqx3elTSmaJKkuW9RUdMAqWn3VYRZ1Wz+MQECfJ3fNNyA7JFqtMa3rE6sKNb/WRvO8Xp r4C2BzSQ+dzEHPDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pfo4EPblmTAM8xMdHac6jbMOam7iRnCApJbPXJ8T3zs=; b=dIfsLtTG7pdbZThW7bboWBZMASnvbjs44uEOfUP/BFdjxnv7RcEJjX/OjGooyRewdtSb/s poT7lK+GJ1IXfEJwRlQzBx4PArZmRw+18IIeoFPO9Mdgbb2jVUxMOzt0Ujlx+tdkrlraEG 1mN3qfiUMWzrzql7ZRxHFNqjhHuf+OhDmFQgFBZS0UT0za8pFTWBZ4vVL0Vr4USAmJHfTZ rixajYgxp4/399kXg3APnlu80GuHPVQjwKTPIT3uKl9Zo0+1/Qa9ZNYA0PVhNRGjC2ScNC OmwX36lA0jUNCs6UBPbXaXVHT9thJeK+/3L9euK3/16DaXEUWdkPDpPhjGQ/tw== To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH 00/11] firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection Message-ID: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Date: Sat, 18 Dec 2021 14:46:56 +0100 MIME-Version: 1.0 Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This patchset improves IPFire's firewall engine by... (a) improved logging of spoofed packets and martians (b) prevention of spoofing attempts on RED's interface IP address (c) dropping traffic from and to networks known to pose a technical threat to IPFire users (see https://git.ipfire.org/?p=location/libloc.git;a=commit;h=69b3d894fbee6e94afc2a79593f7f6b300b88c10 for details) by default on new installations, doing so in a dedicated, easy to configure IPtables chain. Sadly, a decent fraction of our userbase does not bother creating any firewall rules at all, so any outbound traffic is allowed on their networks. Therefore, preventing them from reaching the "baddest of the bad" makes sense for a basic detection of their devices and networks. Any sane IPS configuration would already cover the networks in question, so most IPFire machines running a decent IPS policy will already drop the offending traffic, albeit in a rather costly way. Please note this patchset needs additional commits for the Core Update it is intended to go to, such as shipping the changed files, and adding sane defaults to existing installations in /var/ipfire/optionsfw/settings. See also: #12031 Peter Müller (11): firewall: Log packets dropped due to conntrack INVALID state firewall: Accept inbound Tor traffic before applying the location filter firewall: Log and drop spoofed loopback packets firewall: Prevent spoofing our own RED IP address firewall: Introduce DROP_HOSTILE optionsfw.cgi: Make logging of spoofed/martians packets and the DROP_HOSTILE filter configurable Update German and English translation files collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN} graphs.pl: Display spoofed and hostile traffic in firewall hits diagram as well configroot: Enable logging of spoofed packets/martians by default configroot: Drop traffic from and to hostile networks by default config/cfgroot/graphs.pl | 22 ++++++-- config/collectd/collectd.conf | 2 + html/cgi-bin/optionsfw.cgi | 96 +++++++++++++++++++++++++++------ langs/de/cgi-bin/de.pl | 9 +++- langs/en/cgi-bin/en.pl | 7 ++- lfs/configroot | 4 +- src/initscripts/system/firewall | 63 +++++++++++++++++----- 7 files changed, 166 insertions(+), 37 deletions(-)