From patchwork Sat Dec 18 13:48:33 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 4927
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRyX6K3lz3wtM
	for <patchwork@web04.haj.ipfire.org>; Sat, 18 Dec 2021 13:48:36 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRyX3j2cz2KF;
	Sat, 18 Dec 2021 13:48:36 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRyX3Fl2z2yWZ;
	Sat, 18 Dec 2021 13:48:36 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRyW1zc2z2xXd
 for <development@lists.ipfire.org>; Sat, 18 Dec 2021 13:48:35 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRyV2m9Tz1Gy
 for <development@lists.ipfire.org>; Sat, 18 Dec 2021 13:48:34 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1639835314;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=aB84mbkLizDTSody8Vki934zKxnp4cmGAOaXNzot63s=;
 b=4Fsn31JeEhz1juaPxHiWHO/hIUFrRmvJXEX8NGc9V+0ODh2F6JacAbS289Kcgf1xc6hv3M
 xxPsW6me6e8ugWAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1639835314;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=aB84mbkLizDTSody8Vki934zKxnp4cmGAOaXNzot63s=;
 b=Ci78kUNggf0koXNAvVG2NjbWpTXi8SS/2sw3GbNx5fR5/JE7oy3nQGMIrTV/yASZU/t2wM
 bgAK281qC4gntZu2U3fGE1PgnBpQCBwMrbyTCmuQqIPYD3hMaar5C08uKSoZtAsGCt6Z+r
 GbuHSzLfZbwjum9+ZU4T9Mnc34myakzX8qx7zlFJgLcE+xPov8mxt4hgoT2DYpD2Ykopz0
 0N+SYKh1IzrnHmksb33Ss2q+LyxHGWH1V8fY9fmKVYjNZkjB+EAE11uXR+VBbNHAu52F92
 cAHwFESf4s4UD3MWk9Vot0o86W/TPWSsTjtwEDqFkP4yOZn5XhlaJhVXvmrW/w==
Subject: [PATCH 04/11] firewall: Prevent spoofing our own RED IP address
To: development@lists.ipfire.org
References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Message-ID: <cefdbc89-1f80-456f-cb51-5740336d000a@ipfire.org>
Date: Sat, 18 Dec 2021 14:48:33 +0100
MIME-Version: 1.0
In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org>
Content-Language: en-US
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

There is no legitimate reason why traffic from our own IP address on RED
should ever appear incoming on that interface.

This prevents attackers from impersonating IPFire itself, and is only
cleared/reset if the RED interface is brought up. Therefore, an attacker
cannot bypass this by foring a dial-up or DHCP connection to break down.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 src/initscripts/system/firewall | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 1c62c6e2c..9e62c0245 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -374,6 +374,17 @@ iptables_red_up() {
 	iptables -F REDFORWARD
 	iptables -t nat -F REDNAT
 
+	# Prohibit spoofing our own IP address on RED
+	if [ -f /var/ipfire/red/active ]; then
+		REDIP="$( cat /var/ipfire/red/local-ipaddress )";
+
+		if [ "$IFACE" != "" ]; then
+			iptables -A REDINPUT -s $REDIP -i $IFACE -j SPOOFED_MARTIAN
+		elif [ "$DEVICE" != "" ]; then
+			iptables -A REDINPUT -s $REDIP -i $DEVICE -j SPOOFED_MARTIAN
+		fi
+	fi
+
 	# PPPoE / PPTP Device
 	if [ "$IFACE" != "" ]; then
 		# PPPoE / PPTP