From patchwork Mon Jan 27 15:04:00 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 2727
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 485tMP6bTVz3xXd
	for <patchwork@web04.haj.ipfire.org>; Mon, 27 Jan 2020 15:04:49 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 485tMN1YJrz1jJ;
	Mon, 27 Jan 2020 15:04:48 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201909ed25519; t=1580137489;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=LRtyKYI8ddfh/tDlz8HlgpUEZyEvjO86XKwQMxQazwU=;
	b=FUUc8B764IWCR042GFDCbu4KGVf3/R9EY/aVOK5+Iwa9m8znw0VtP89Cj02vhh9kJdYxh/
	UrBhjKa6YnXQBVDg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909rsa;
	t=1580137489; h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=LRtyKYI8ddfh/tDlz8HlgpUEZyEvjO86XKwQMxQazwU=;
	b=jv4FzgUuQQpstHLDISzGXuxjF0wTxy1mLpTuPCSP8YFYi4yq47/7sq1jEQ91dq2Sl8gBpl
	qUo+XdtKtFtSSZCnoUBVuzjAVEBtqANSE5v/Be82okh/ltdBtGglMclU8q+zkY2a93DO88
	4wVx8S+JCaOoA1uISnBKeElcO9ouNK/nUzvJ2dA7wLV4DACmzObBNFjeyC3/P62wvRO2vo
	HlPKr9Y5+NW0KSZUa0mpObZkVVWFPnZKGOt2aIwmoz0YSQ8LV11MDELj6JZIwXeQuLEZ0t
	1HypRi4wD8UEJYfeHC7cKUwVjeQYCPyWpChKi190QPfImcc/+JArXSynaTRyDw==
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 485tMM4Lljz2yN7;
	Mon, 27 Jan 2020 15:04:47 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 485tMK4Q15z2xJ9
 for <development@lists.ipfire.org>; Mon, 27 Jan 2020 15:04:45 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 485tMJ1pbSz1jJ
 for <development@lists.ipfire.org>; Mon, 27 Jan 2020 15:04:43 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909ed25519; t=1580137485;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=LRtyKYI8ddfh/tDlz8HlgpUEZyEvjO86XKwQMxQazwU=;
 b=JSvY444u/VrnxmEFGOFmRmpaYwo8tYMSREpvDCj3Nc+C1rT7HJ0mS6yLEhEMkRjz3E5BuC
 sFlxhxx6lYnoR+BA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909rsa;
 t=1580137485;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=LRtyKYI8ddfh/tDlz8HlgpUEZyEvjO86XKwQMxQazwU=;
 b=Jp6j3ePvPt22Seg9TA3wZxae7k7MNZsOfGhLqkdXntde2DG7xmp5MjgOlpc1I50Dmci73B
 fYwJ89QrGqCVpj/FtyWBQsurggJaF27th6dFuc1OE0lzxvYRRJcEm/0deKpEIqZXXFn/Iq
 D6G3RvRijBRbUuVTt6Sjg1Ouy79j7fI/+yruIgeIsqzhltHyeVcp66m6jTnGYgNRXslFhY
 TO6ipou0qq8O0x8AwVsuIwSynmt5XmHrKDdHbY0YjZ7AcouEFzE1zX70PHl4s+FSsHjgB8
 CVgCT7PCLZWjkOMZDghseODQqrkOjvEhcbKHDZVft0c3qCzi/eUP6zRuG7RqrQ==
To: "IPFire: Development-List" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH] avoid emitting VPN traffic to the internet if the IPS crashed
Message-ID: <831d6fe4-8851-326a-450f-ac14a017479a@ipfire.org>
Date: Mon, 27 Jan 2020 15:04:00 +0000
MIME-Version: 1.0
Content-Language: en-US
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.mailfrom=peter.mueller@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or
OpenVPN) destinations was emitted to the internet (ppp0 or red0
interface) directly if the IPS was enabled but crashed during operation.

This patch places the IPSECBLOCK and OVPNBLOCK chains before the
ones responsible for forwarding traffic into the IPS.

Thanks to Michael for his debugging effort.

Partially fixes #12257

Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/firewall | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ec396c708..ab144ea18 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -185,14 +185,6 @@ iptables_init() {
 	iptables -A INPUT -j GUARDIAN
 	iptables -A FORWARD -j GUARDIAN
 
-	# IPS (suricata) chains
-	iptables -N IPS_INPUT
-	iptables -N IPS_FORWARD
-	iptables -N IPS_OUTPUT
-	iptables -A INPUT -j IPS_INPUT
-	iptables -A FORWARD -j IPS_FORWARD
-	iptables -A OUTPUT -j IPS_OUTPUT
-
 	# Block non-established IPsec networks
 	iptables -N IPSECBLOCK
 	iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
@@ -204,6 +196,14 @@ iptables_init() {
 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
 	iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
+	# IPS (suricata) chains
+	iptables -N IPS_INPUT
+	iptables -N IPS_FORWARD
+	iptables -N IPS_OUTPUT
+	iptables -A INPUT -j IPS_INPUT
+	iptables -A FORWARD -j IPS_FORWARD
+	iptables -A OUTPUT -j IPS_OUTPUT
+
 	# OpenVPN transfer network translation
 	iptables -t nat -N OVPNNAT
 	iptables -t nat -A POSTROUTING -j OVPNNAT