From patchwork Mon Apr 18 18:27:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 5516 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KhwQZ1C3Zz3xG6 for ; Mon, 18 Apr 2022 18:27:34 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KhwQV0rlJzkl; Mon, 18 Apr 2022 18:27:30 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KhwQT6Wydz2ylm; Mon, 18 Apr 2022 18:27:29 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KhwQT0hGdz2y0t for ; Mon, 18 Apr 2022 18:27:29 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KhwQQ5wtLzdh for ; Mon, 18 Apr 2022 18:27:26 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1650306447; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=P9f67o2n0kgBXq6AE79aeBSGwMD6kzJiOXXBubKbSJ0=; b=9HNsktlzB584obGhZgmPefW4XUUpzCSZNr6mnK2owXT5hoHiv3GhB8OMJCWyrfsBOP2U8I stPpLgISckyq2xBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1650306447; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=P9f67o2n0kgBXq6AE79aeBSGwMD6kzJiOXXBubKbSJ0=; b=e/JkGYEHEwZdvl7KodY9fOU5ijuRQfGtZ7kPk4t/QaBODKGNxQRgjnya1QsHQud7g2v6ts u9VoGvHpHHGHvrmwS5quFeND+uqsIuSaFxsVx7qKHGkr4EquegsfwuNJBMq2KR30+GG9MP ioHg7QSp0S8Vw2xnkXUdcgrG2ykk/XGMRxbyLPniND++3yfAocKO7wQAY8aJHLyuhBDADn LA7SRXoX1VMfobka6ZNwZI2vBgbGVDs2RaHn+kW2ZrgPcycnNPUm+aMgh8MF3M09vhlMsL nN4+3B0vCGybGVEIlxzdlXVuxO881zwTP6fMfi/3WNfmX8pKTUdK0bvz/0Qc1A== Message-ID: <495b4ca2-5a4b-2ffa-8306-38f152889582@ipfire.org> Date: Mon, 18 Apr 2022 18:27:23 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] firewall/sysctl: Make Reverse Path Forwarding mode configurable X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" For the vast majority of IPFire installations (i. e. those who do not make use of asymmetric routing), it is safe to run the Linux kernel's Reverse Path Forwarding in 'strict' mode, as specified in RFC 3704, section 2.2, significantly hampering spoofing attacks. However, we cannot switch to this operating mode globally, since (a) some IPFire installations cannot use it and (b) we need to avoid a breaking change on this end. Therefore, this patch adds a switch to the firewall options CGI, permitting users to choose between 'loose' and 'strict' RPF mode, whereas 'loose' is the current default. On existing installations, this should be left untouched - although users are urged to check whether they can switch to the 'strict' mode -; similar to the 'drop hostile' feature, this should be set to 'strict' by default on new installations. Since only a sysctl is changed under the hood, changes do not require a reboot, but an execution of the /etc/rc.d/init.d/sysctl initscript. The corresponding misc-prog has been adjusted to reflect this. Signed-off-by: Peter Müller --- html/cgi-bin/optionsfw.cgi | 18 ++++++++++++++++++ langs/de/cgi-bin/de.pl | 3 +++ langs/en/cgi-bin/en.pl | 5 ++++- src/initscripts/system/sysctl | 11 ++++++++++- src/misc-progs/firewallctrl.c | 1 + 5 files changed, 36 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index fbff67b2f..72a4cddc8 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -158,6 +158,9 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele $selected{'MASQUERADE_BLUE'}{'off'} = ''; $selected{'MASQUERADE_BLUE'}{'on'} = ''; $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"'; +$checked{'RPFORWARDINGMODE'}{'loose'} = ''; +$checked{'RPFORWARDINGMODE'}{'strict'} = ''; +$checked{'RPFORWARDINGMODE'}{$settings{'RPFORWARDINGMODE'}} = "checked='checked'"; &Header::openbox('100%', 'center',); print "
"; @@ -334,6 +337,21 @@ END
+ + + + + + + + + +
$Lang::tr{'reverse path forwarding'}
$Lang::tr{'reverse path forwarding mode'} + $Lang::tr{'strict'} / + $Lang::tr{'loose'} +
+
+
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 6094c191a..047d47fe0 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1623,6 +1623,7 @@ 'logging server' => 'Protokollierungsserver', 'loginlogout' => 'Login/Logout', 'logs' => 'Protokolldateien', +'loose' => 'locker', 'loosedirectorychecking' => 'Loose directorychecking', 'low' => 'Niedrig', 'ls_dhcpd' => 'DHCP-Server:', @@ -2159,6 +2160,8 @@ 'restore defaults' => 'Voreinstellungen wiederherstellen', 'restore hardware settings' => 'Hardwareeinstellungen wiederherstellen', 'restore settings' => 'Einstellungen wiederherstellen', +'reverse path forwarding' => 'Reverse Path Forwarding', +'reverse path forwarding mode' => 'Betriebsmodus des Reverse Path Forwarding (siehe RFC 3704, Abschnitt 2)', 'reverse sort' => 'In umgekehrter chronologischer Reihenfolge sortieren', 'root' => 'Root', 'root certificate' => 'Root-Zertifikat', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 510ed095b..80d8f7f1a 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1671,6 +1671,7 @@ 'logging server' => 'Logging Server', 'loginlogout' => 'Login/Logout', 'logs' => 'logs', +'loose' => 'loose', 'loosedirectorychecking' => 'Loosedirectorychecking', 'low' => 'Low', 'ls_dhcpd' => 'DHCP Server:', @@ -2211,6 +2212,8 @@ 'restore defaults' => 'Restore defaults', 'restore hardware settings' => 'Restore hardware settings', 'restore settings' => 'Reset Settings', +'reverse path forwarding' => 'Reverse Path Forwarding', +'reverse path forwarding mode' => 'Operating mode of Reverse Path Forwarding (see RFC 3704, section 2)', 'reverse sort' => 'Sort in reverse chronological order', 'root' => 'Root', 'root certificate' => 'Root Certificate', @@ -2394,7 +2397,7 @@ 'stop' => 'Stop', 'stop ovpn server' => 'Stop OpenVPN Server', 'stopped' => 'STOPPED', -'strict' => 'Strict', +'strict' => 'strict', 'subject' => 'Subject', 'subject test' => 'Teste-mail', 'subject warn' => 'Warning - warnlevel reached', diff --git a/src/initscripts/system/sysctl b/src/initscripts/system/sysctl index 8897c1faa..c7aebbc8d 100644 --- a/src/initscripts/system/sysctl +++ b/src/initscripts/system/sysctl @@ -22,6 +22,8 @@ . /etc/sysconfig/rc . ${rc_functions} +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) + case "${1}" in start) if [ -f "/etc/sysctl.conf" ]; then @@ -29,7 +31,7 @@ case "${1}" in sysctl -q -p evaluate_retval fi - arch=`uname -m` + arch=$(uname -m) case "${arch}" in armv*) arch="armv6l": @@ -40,6 +42,13 @@ case "${1}" in sysctl -q -p /etc/sysctl-${arch}.conf evaluate_retval fi + + if [ "$RPFORWARDINGMODE" == "strict" ]; then + boot_mesg "Setting Reverse Path Forwarding mode to 'strict'..." + sysctl -q -w net.ipv4.conf.all.rp_filter=1 + evaluate_retval + fi + ;; status) diff --git a/src/misc-progs/firewallctrl.c b/src/misc-progs/firewallctrl.c index 0f176597d..b6756b0b1 100644 --- a/src/misc-progs/firewallctrl.c +++ b/src/misc-progs/firewallctrl.c @@ -13,6 +13,7 @@ int main(int argc, char *argv[]) { if (!(initsetuid())) exit(1); + safe_system("/etc/rc.d/init.d/sysctl start"); int retval = safe_system("/usr/lib/firewall/rules.pl"); /* If rules.pl has been successfully executed, the indicator