diff mbox series

[05/11] firewall: Introduce DROP_HOSTILE

Message ID	c2562a9e-0b55-67f8-b48f-62df97fa7196@ipfire.org
State	Accepted
Commit	97154d057bdbc7fa34309e9a5ad389775eff210d
Headers	Subject: [PATCH 05/11] firewall: Introduce DROP_HOSTILE To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Message-ID: <c2562a9e-0b55-67f8-b48f-62df97fa7196@ipfire.org> Date: Sat, 18 Dec 2021 14:48:46 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection \| [00/11] firewall: Introduce DROP_HOSTILE and improve spoofing logging/protection [01/11] firewall: Log packets dropped due to conntrack INVALID state [02/11] firewall: Accept inbound Tor traffic before applying the location filter [03/11] firewall: Log and drop spoofed loopback packets [04/11] firewall: Prevent spoofing our own RED IP address [05/11] firewall: Introduce DROP_HOSTILE [06/11] optionsfw.cgi: Make logging of spoofed/martians packets and the DROP_HOSTILE filter configu… [07/11] Update German and English translation files [08/11] collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN} [09/11] graphs.pl: Display spoofed and hostile traffic in firewall hits diagram as well [10/11] configroot: Enable logging of spoofed packets/martians by default [11/11] configroot: Drop traffic from and to hostile networks by default

Commit Message

Peter Müller 18 Dec 2021, 1:48 p.m. UTC

Similar to the Location block, this chain logs and drops all traffic
from and to networks known to pose technical threats to IPFire users.

Doing so in a dedicated chain makes sense for transparency reasons, as
we won't interfer with other firewall rules or the Location block, so it
is always clear why a packet from or to such a network has been dropped.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 src/initscripts/system/firewall | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

Comments

Michael Tremer 7 Jan 2022, 5:04 p.m. UTC | #1

Hello,

I told you that you will need to export the lists before you can load them, but that seems to have been incorrect.

Whenever we download the database, we extract everything:

  https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-location-database;h=06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=HEAD

So this should always work.

-Michael

> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Similar to the Location block, this chain logs and drops all traffic
> from and to networks known to pose technical threats to IPFire users.
> 
> Doing so in a dedicated chain makes sense for transparency reasons, as
> we won't interfer with other firewall rules or the Location block, so it
> is always clear why a packet from or to such a network has been dropped.
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> src/initscripts/system/firewall | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 9e62c0245..ebc8168ae 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -139,6 +139,20 @@ iptables_init() {
> 	iptables -t nat -N CUSTOMPOSTROUTING
> 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
> 
> +	# Log and drop any traffic from and to networks known as being hostile, posing
> +	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
> +	if [ "$DROPHOSTILE" == "on" ]; then
> +		iptables -N DROP_HOSTILE
> +		iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
> +
> +		iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
> +		iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
> +		iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
> +		iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
> +
> +		iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
> +	fi
> +
> 	# P2PBLOCK
> 	iptables -N P2PBLOCK
> 	iptables -A INPUT -j P2PBLOCK
> -- 
> 2.26.2

Peter Müller 8 Jan 2022, 10:39 a.m. UTC | #2

Hello Michael,

thanks for your reply.

This is good to know as I was surprised to see this working on my testing machine without
any further exports/converting/${whatever} of the location database. :-)

Thanks, and best regards,
Peter Müller


> Hello,
> 
> I told you that you will need to export the lists before you can load them, but that seems to have been incorrect.
> 
> Whenever we download the database, we extract everything:
> 
>   https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/scripts/update-location-database;h=06b22d101cafbb59c23c2c0310d35905b280d9dd;hb=HEAD
> 
> So this should always work.
> 
> -Michael
> 
>> On 18 Dec 2021, at 13:48, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Similar to the Location block, this chain logs and drops all traffic
>> from and to networks known to pose technical threats to IPFire users.
>>
>> Doing so in a dedicated chain makes sense for transparency reasons, as
>> we won't interfer with other firewall rules or the Location block, so it
>> is always clear why a packet from or to such a network has been dropped.
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> src/initscripts/system/firewall | 14 ++++++++++++++
>> 1 file changed, 14 insertions(+)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 9e62c0245..ebc8168ae 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -139,6 +139,20 @@ iptables_init() {
>> 	iptables -t nat -N CUSTOMPOSTROUTING
>> 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
>>
>> +	# Log and drop any traffic from and to networks known as being hostile, posing
>> +	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
>> +	if [ "$DROPHOSTILE" == "on" ]; then
>> +		iptables -N DROP_HOSTILE
>> +		iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
>> +
>> +		iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
>> +		iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
>> +		iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
>> +		iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
>> +
>> +		iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
>> +	fi
>> +
>> 	# P2PBLOCK
>> 	iptables -N P2PBLOCK
>> 	iptables -A INPUT -j P2PBLOCK
>> -- 
>> 2.26.2
>

diff mbox series

Patch

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 9e62c0245..ebc8168ae 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -139,6 +139,20 @@  iptables_init() {
 	iptables -t nat -N CUSTOMPOSTROUTING
 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
 
+	# Log and drop any traffic from and to networks known as being hostile, posing
+	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
+	if [ "$DROPHOSTILE" == "on" ]; then
+		iptables -N DROP_HOSTILE
+		iptables -A DROP_HOSTILE  -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
+
+		iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+		iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+		iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE
+		iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE
+
+		iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
+	fi
+
 	# P2PBLOCK
 	iptables -N P2PBLOCK
 	iptables -A INPUT -j P2PBLOCK