From patchwork Wed May 18 15:53:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 5624 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4L3HbP3tTXz3x1v for ; Wed, 18 May 2022 15:53:53 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4L3HbM0cB5z2RV; Wed, 18 May 2022 15:53:51 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4L3HbL6Trkz2ynk; Wed, 18 May 2022 15:53:50 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4L3HbK3qsXz2xyg for ; Wed, 18 May 2022 15:53:49 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4L3HbH6kdNzYR for ; Wed, 18 May 2022 15:53:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1652889228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=51EFweHBKRL9+ChR6viDgKvXbl/ACuhV1udML4C1JTE=; b=0uBFKP3uCfbBkCiwflGwUbyYzmklD4hBZBSOSD7QbDiuqWkcsngFQUU/lR0+ReE4uXFMc1 VKouzsli3G98QmBA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1652889228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=51EFweHBKRL9+ChR6viDgKvXbl/ACuhV1udML4C1JTE=; b=t/9+67Yu6KqQ8h3jswocVW/x4KmtW2g7sgOIsbS2eiysa0px4CrQIvQfdaD823SE6pIBdZ LGH69rc04xH68YWJMa2a8GweWAmc+ouLIAoi+J7YCEDU/q7nU0pVt1Apaoq7hu6VBZcXes d12Umr+WZQ9ulXN3vXpWQAHsx9ycopRP/OO/fILY0TpmkmX/q10BBvZvNseN7vR3xM1RNJ 5gwcsitV1jVAbiUXJeGctbdLZ6TpYKIG+4YnE2dXiJa+euVqF/CjixXvrELrv833bLlJtG JSS1YKxYv0rmgThjd2DOIMeP3OZlbDjZaMsrE/ZleAuFeMFUQtq0FSs81UGSZw== Message-ID: <64c47b49-abd0-737b-5a93-6b621be190e2@ipfire.org> Date: Wed, 18 May 2022 15:53:42 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] strongSwan: Bring back firewall rules for permitting ESP and AH traffic X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Fixes: #12866 Signed-off-by: Peter Müller --- src/patches/strongswan-ipfire.patch | 47 ++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 14 deletions(-) diff --git a/src/patches/strongswan-ipfire.patch b/src/patches/strongswan-ipfire.patch index 0f2be7483..ab04d57e0 100644 --- a/src/patches/strongswan-ipfire.patch +++ b/src/patches/strongswan-ipfire.patch @@ -1,13 +1,13 @@ -commit 654e2b7688c5fbd4e1fc46648bc1864301fb6027 -Author: Michael Tremer -Date: Mon Mar 21 19:49:02 2022 +0000 +commit a3cfab9961cd088fb7df9fa8e646601f8f879762 +Author: Peter Müller +Date: Wed May 18 15:50:34 2022 +0000 IPFire modifications to _updown script - Signed-off-by: Michael Tremer + Signed-off-by: Peter Müller diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in -index 34eaf68c7..514ecb578 100644 +index 34eaf68c7..0302fa128 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -242,10 +242,10 @@ up-host:iptables) @@ -98,7 +98,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT fi # -@@ -342,10 +324,10 @@ up-client:iptables) +@@ -342,47 +324,34 @@ up-client:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -110,8 +110,17 @@ index 34eaf68c7..514ecb578 100644 + "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi fi ++ ++ # Open Firewall for AH + ESP Traffic ++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables --wait -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ ;; -@@ -353,36 +335,14 @@ down-client:iptables) + down-client:iptables) # connection to client subnet, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -149,7 +158,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT fi # -@@ -392,10 +352,10 @@ down-client:iptables) +@@ -392,12 +361,20 @@ down-client:iptables) if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -161,8 +170,18 @@ index 34eaf68c7..514ecb578 100644 + "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" fi fi ++ ++ # Close Firewall for AH + ESP Traffic ++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p AH \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables --wait -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ;; -@@ -422,10 +382,10 @@ up-host-v6:iptables) + # + # IPv6 +@@ -422,10 +399,10 @@ up-host-v6:iptables) # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -175,7 +194,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -454,10 +414,10 @@ down-host-v6:iptables) +@@ -454,10 +431,10 @@ down-host-v6:iptables) # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -188,7 +207,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -487,10 +447,10 @@ up-client-v6:iptables) +@@ -487,10 +464,10 @@ up-client-v6:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -201,7 +220,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT fi -@@ -499,10 +459,10 @@ up-client-v6:iptables) +@@ -499,10 +476,10 @@ up-client-v6:iptables) # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -214,7 +233,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi -@@ -535,11 +495,11 @@ down-client-v6:iptables) +@@ -535,11 +512,11 @@ down-client-v6:iptables) # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -228,7 +247,7 @@ index 34eaf68c7..514ecb578 100644 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ $IPSEC_POLICY_IN -j ACCEPT -@@ -549,11 +509,11 @@ down-client-v6:iptables) +@@ -549,11 +526,11 @@ down-client-v6:iptables) # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then