From patchwork Wed Sep 25 19:45:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 2430
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 46dpS965yyz42TG
	for <patchwork@web04.haj.ipfire.org>; Wed, 25 Sep 2019 19:45:13 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 46dpS84YSzz2N9;
	Wed, 25 Sep 2019 19:45:12 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 46dpS82bdpz2ygg;
	Wed, 25 Sep 2019 19:45:12 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 46dpS74PhNz2yY2
 for <development@lists.ipfire.org>; Wed, 25 Sep 2019 19:45:11 +0000 (UTC)
Received: from [127.0.0.1] (this-is-a-tor-exit-node---keywebtor1.artikel5ev.de
 [87.118.116.90])
 (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 46dpS674qwz2N9
 for <development@lists.ipfire.org>; Wed, 25 Sep 2019 19:45:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909rsa;
 t=1569440711;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=elSAcuFGu00glybUpV73u6V2mX56uUH0/Z+ayKVFVAQ=;
 b=EUTZlEQwg1XHfWUw7KcDcM/d5QRqS+JV52hMlIXNmrHaogN1J3MP0VFatHwqXoNkwSHCEb
 zSE+BmuMkU2aUqV0cMlGyYIMjxDuvA+cPBisQijf6cKeeHBq2ZpmQLeXNeqyo2pmSNd1n5
 LSmYqTDlM/4U1CBj7uhT7mt8ILB04/mRwozuwN0NKFKe8ImztE0qAv8EW7wNdYobaks5ud
 /QNQS8PfUC+j+D4rga1ubqgyM2AaWp3zQU6pGT5ywtD4cum2JWyij8nejWJ90CKmKbJttY
 oxsnXSc+OlMdY8zpgbF5dCgq1rSWjcYvU8lTE3WM8gn/ROi43mB5Etu8yt3PyQ==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909ed25519; t=1569440711;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=elSAcuFGu00glybUpV73u6V2mX56uUH0/Z+ayKVFVAQ=;
 b=RJh793c+ZShTAQSVL9jfHkh2iQtp1N+YXSWX4cEJUMfm8H6PgeTlzD+Q9Dl4motvL8ncVN
 JQQODCoQ7JZzDiDw==
To: "IPFire: Development-List" <development@lists.ipfire.org>
From: peter.mueller@ipfire.org
Subject: [PATCH] firewall: always allow outgoing DNS traffic to root servers
Message-ID: <a7933368-6423-d028-baeb-d34c53119d5d@ipfire.org>
Date: Wed, 25 Sep 2019 19:45:00 +0000
MIME-Version: 1.0
Content-Language: en-US
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.

Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.

There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.

Fixes #12183

Cc: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Horace Michael <horace.michael@gmx.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/rootfiles/core/137/filelists/files |  1 +
 src/initscripts/system/firewall           | 16 ++++++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/core/137/filelists/files
index ce4e51768..a02840d12 100644
--- a/config/rootfiles/core/137/filelists/files
+++ b/config/rootfiles/core/137/filelists/files
@@ -1,4 +1,5 @@
 etc/system-release
 etc/issue
+etc/rc.d/init.d/firewall
 srv/web/ipfire/cgi-bin/credits.cgi
 var/ipfire/langs
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ec396c708..ff63a2ede 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -6,10 +6,11 @@
 eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
-IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'`
+ROOTHINTS="/etc/unbound/root.hints"
+IFACE=$( /bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012' )
 
 if [ -f /var/ipfire/red/device ]; then
-	DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'`
+	DEVICE=$( /bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012' )
 fi
 
 function iptables() {
@@ -307,6 +308,17 @@ iptables_init() {
 	iptables -A INPUT -j TOR_INPUT
 	iptables -N TOR_OUTPUT
 	iptables -A OUTPUT -j TOR_OUTPUT
+
+	# Allow outgoing DNS traffic (TCP and UDP) to DNS root servers
+	ROOTSERVERIPS="$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} | xargs )"
+	ipset -N root-servers iphash
+
+	for ip in ${ROOTSERVERIPS}; do
+		ipset add root-servers $ip
+	done
+
+	iptables -A OUTPUT -m set --match-set root-servers dst -p tcp --dport 53 -j ACCEPT
+	iptables -A OUTPUT -m set --match-set root-servers dst -p udp --dport 53 -j ACCEPT
 	
 	# Jump into the actual firewall ruleset.
 	iptables -N INPUTFW