From patchwork Sat Dec 18 13:47:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4924 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRxG2GyGz3wtM for ; Sat, 18 Dec 2021 13:47:30 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRxF6SLHz1F4; Sat, 18 Dec 2021 13:47:29 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRxF634Rz2ysF; Sat, 18 Dec 2021 13:47:29 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRxD2PXjz2xXd for ; Sat, 18 Dec 2021 13:47:28 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRxC1JDzznC for ; Sat, 18 Dec 2021 13:47:26 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ApxN+JciJpuy6gpfFXsat5eInXVqMp2GllWQXsGEwZE=; b=sOorwl8MboBJcHCeceplWX/LV4t4YNMFTjOCP+xJmeO0i0ZHpGSTncx5TNdgXhwZTdeiXV g1c+qp/rlGvt9aBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ApxN+JciJpuy6gpfFXsat5eInXVqMp2GllWQXsGEwZE=; b=JsPM2WaIIbm4EdlpuFg+cgbKRh5sghsvcyy5NrVjpgN4XowHX/J6gZ06+3CjDjgPppCk84 0UZry2AF0TmE+JyT+oGXqDMomY2AxAh27GMo5vRz9d5+oy2G6IXc+jxLQIY17OW3VpEWfa iLkrCaiwxyD/YFlLzaBMYH+YEUqtQzyJf2nrwu84hoUjYx/BZkVUXtY9K3MAuiI1cpOJ8z xtpdv5DhrUKcEjGNfe5SQpNyNOTl0/RdrpFrJBSEjkEHyjLL8kQyDPq7WPeo2yhOb0p5F9 ayVXuoOgsBVMaw00jsXt5DLCvzkjxL9xEaasn+VHMQV8oiyPYzUF28WCOhy01Q== Subject: [PATCH 01/11] firewall: Log packets dropped due to conntrack INVALID state To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: Date: Sat, 18 Dec 2021 14:47:25 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" In case of faulty connection tracking, this ensures such packets are logged, to make analysing network incidents less troublesome. Since NewNotSYN is handled before, where logging can be turned off for systems running on weak flash devices, the amount of log messages emitted here should be neglectible. Signed-off-by: Peter Müller --- src/initscripts/system/firewall | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 75ea8abdf..49c6b7bf9 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -110,7 +110,7 @@ iptables_init() { # Connection tracking chains iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT - iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP + iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT # Restore any connection marks @@ -136,7 +136,7 @@ iptables_init() { iptables -A INPUT -j P2PBLOCK iptables -A FORWARD -j P2PBLOCK iptables -A OUTPUT -j P2PBLOCK - + # IPS (Guardian) chains iptables -N GUARDIAN iptables -A INPUT -j GUARDIAN @@ -265,7 +265,7 @@ iptables_init() { iptables -A INPUT -j TOR_INPUT iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT - + # Jump into the actual firewall ruleset. iptables -N INPUTFW iptables -A INPUT -j INPUTFW From patchwork Sat Dec 18 13:47:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4925 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRxr57v5z3wtM for ; Sat, 18 Dec 2021 13:48:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRxr1g9vz1QM; Sat, 18 Dec 2021 13:48:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRxr1FSVz2yWZ; Sat, 18 Dec 2021 13:48:00 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRxp2g18z2xXd for ; Sat, 18 Dec 2021 13:47:58 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRxn2wpVz1Gy for ; Sat, 18 Dec 2021 13:47:57 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835277; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YOxZJT45h7CB62En483pdPBBTW7iAezWC2bKC46qc9g=; b=2MJeOYHufsPdlUFCtSp5cq98FXF1ZvndtlJvrPud67Y7aElKnbq+j2WFjgGGxsYvwOqIwD VK7TqhFGPO+ATsDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835277; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YOxZJT45h7CB62En483pdPBBTW7iAezWC2bKC46qc9g=; b=mHlDujSMvKNIXUFpj+8P6cuOdmQZadxoh2qf32hTMpIf/ecxgTni5jRink4yz1/lxSfqrY Pw6IbVRJxE+ZtObyVtqKw+1dZkv83yjuAs5yNGRYzEdj+Vz0L2UOQrcy6leWabeDb7WT3A wK2P8LidDLGlEj9qNJRf4wj+upui1g8xCMAsYO3smllA0C32b8CPfrfdi/hihQPPlFO9Mg eg1ZmFXw95QqDrEaOlT0qOgoCngteoijceYFlrrbm2Lu+Dofx9AO9S7AEKxhozNTRFLEBy kfZw/3K4spd5kuVMnQC+jvrtdgJFLZQrOt9mK0PGP//JvZcSHzp/g+HZMCKEOA== Subject: [PATCH 02/11] firewall: Accept inbound Tor traffic before applying the location filter To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: <4347b799-f863-9870-50d2-683b8c078670@ipfire.org> Date: Sat, 18 Dec 2021 14:47:56 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Inbound Tor traffic conflicts with Location block as inbound connections have to be accepted from many parts of the world. To solve this, inbound Tor traffic has to be accepted before jumping into Location block chain. Note this affects Tor relay operators only. Rolled forward as ongoing from https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org/, note the documentation in the wiki needs to be updated once this landed in production. Signed-off-by: Peter Müller --- src/initscripts/system/firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 49c6b7bf9..cc5baa292 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -227,6 +227,10 @@ iptables_init() { iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT fi + # Tor (inbound) + iptables -N TOR_INPUT + iptables -A INPUT -j TOR_INPUT + # Location Block iptables -N LOCATIONBLOCK iptables -A INPUT -j LOCATIONBLOCK @@ -260,9 +264,7 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT - # Tor (inbound and outbound) - iptables -N TOR_INPUT - iptables -A INPUT -j TOR_INPUT + # Tor (outbound) iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT From patchwork Sat Dec 18 13:48:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4926 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRyG0YyZz3wtM for ; Sat, 18 Dec 2021 13:48:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRyF4Q2Mz3ZZ; Sat, 18 Dec 2021 13:48:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRyF2KZYz2ysF; Sat, 18 Dec 2021 13:48:21 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRyC451gz2xXd for ; Sat, 18 Dec 2021 13:48:19 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRyB3Rqvz192 for ; Sat, 18 Dec 2021 13:48:18 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835298; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q51kKlgymfGw5ckQ3aICPUzLDF7/yXSb78yad1iRAaM=; b=cX8fdmPBY/eo/+KMoW/JGOEZFIzQ1uuBE/fxuzgGHjDpc1sXHgEeCkZGSQJFGgRj1TEDWd 7S/qpEvLHV0834Cw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835298; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q51kKlgymfGw5ckQ3aICPUzLDF7/yXSb78yad1iRAaM=; b=qaCkgK07dde6M6CuHX4hPFTv3Xv/8F7PxxH4XFaIk19EK7FlJvnCm8GhOTUniNwE9JCrcl oCG+9bWQQP5egnTKk0ts4ocK1oxViZ3hQvh/y3y7RSsjIzBH3jCh4N4sF1COjlxBTr5zbq RRBqXu4B3K6iYRhlO01iGfLXVqj513nO0Icvntk5dFhN0G+wgPl/oJwPudIelheGbMmGAl +ek89xudR115enzY6784ESAkAqzw6KptLBJtPbIg2zqUeXOgcUGvDI4N+jqQCzWMDJ25B5 bicLToI9bk2IOlXw09JlG63HjB2LXS29/vGMJ2zEMxihFDgxvkgzgx0ZiU3ysQ== Subject: [PATCH 03/11] firewall: Log and drop spoofed loopback packets To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: <2ab43082-5d2d-d4bf-eba1-c78dede9b8b7@ipfire.org> Date: Sat, 18 Dec 2021 14:48:17 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Traffic from and to 127.0.0.0/8 must only appear on the loopback interface, never on any other interface. This ensures offending packets are logged, and the loopback interface cannot be abused for processing traffic from and to any other networks. Signed-off-by: Peter Müller --- src/initscripts/system/firewall | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index cc5baa292..1c62c6e2c 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -80,6 +80,14 @@ iptables_init() { fi iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" + # Log and subsequently drop spoofed packets or "martians", arriving from sources + # on interfaces where we don't expect them + iptables -N SPOOFED_MARTIAN + if [ "$DROPSPOOFEDMARTIAN" == "on" ]; then + iptables -A SPOOFED_MARTIAN -m limit --limit 10/second -j LOG --log-prefix "DROP_SPOOFED_MARTIAN " + fi + iptables -A SPOOFED_MARTIAN -j DROP -m comment --comment "DROP_SPOOFED_MARTIAN" + # Chain to contain all the rules relating to bad TCP flags iptables -N BADTCP @@ -177,14 +185,18 @@ iptables_init() { iptables -A INPUT -j ICMPINPUT iptables -A ICMPINPUT -p icmp --icmp-type 8 -j ACCEPT - # Accept everything on loopback + # Accept everything on loopback if source/destination is loopback space... iptables -N LOOPBACK - iptables -A LOOPBACK -i lo -j ACCEPT - iptables -A LOOPBACK -o lo -j ACCEPT + iptables -A LOOPBACK -i lo -s 127.0.0.0/8 -j ACCEPT + iptables -A LOOPBACK -o lo -d 127.0.0.0/8 -j ACCEPT + + # ... and drop everything else on the loopback interface, since no other traffic should appear there + iptables -A LOOPBACK -i lo -j SPOOFED_MARTIAN + iptables -A LOOPBACK -o lo -j SPOOFED_MARTIAN - # Filter all packets with loopback addresses on non-loopback interfaces. - iptables -A LOOPBACK -s 127.0.0.0/8 -j DROP - iptables -A LOOPBACK -d 127.0.0.0/8 -j DROP + # Filter all packets with loopback addresses on non-loopback interfaces (spoofed) + iptables -A LOOPBACK -s 127.0.0.0/8 -j SPOOFED_MARTIAN + iptables -A LOOPBACK -d 127.0.0.0/8 -j SPOOFED_MARTIAN for i in INPUT FORWARD OUTPUT; do iptables -A ${i} -j LOOPBACK From patchwork Sat Dec 18 13:48:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4927 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRyX6K3lz3wtM for ; Sat, 18 Dec 2021 13:48:36 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRyX3j2cz2KF; Sat, 18 Dec 2021 13:48:36 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRyX3Fl2z2yWZ; Sat, 18 Dec 2021 13:48:36 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRyW1zc2z2xXd for ; Sat, 18 Dec 2021 13:48:35 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRyV2m9Tz1Gy for ; Sat, 18 Dec 2021 13:48:34 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835314; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aB84mbkLizDTSody8Vki934zKxnp4cmGAOaXNzot63s=; b=4Fsn31JeEhz1juaPxHiWHO/hIUFrRmvJXEX8NGc9V+0ODh2F6JacAbS289Kcgf1xc6hv3M xxPsW6me6e8ugWAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835314; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aB84mbkLizDTSody8Vki934zKxnp4cmGAOaXNzot63s=; b=Ci78kUNggf0koXNAvVG2NjbWpTXi8SS/2sw3GbNx5fR5/JE7oy3nQGMIrTV/yASZU/t2wM bgAK281qC4gntZu2U3fGE1PgnBpQCBwMrbyTCmuQqIPYD3hMaar5C08uKSoZtAsGCt6Z+r GbuHSzLfZbwjum9+ZU4T9Mnc34myakzX8qx7zlFJgLcE+xPov8mxt4hgoT2DYpD2Ykopz0 0N+SYKh1IzrnHmksb33Ss2q+LyxHGWH1V8fY9fmKVYjNZkjB+EAE11uXR+VBbNHAu52F92 cAHwFESf4s4UD3MWk9Vot0o86W/TPWSsTjtwEDqFkP4yOZn5XhlaJhVXvmrW/w== Subject: [PATCH 04/11] firewall: Prevent spoofing our own RED IP address To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: Date: Sat, 18 Dec 2021 14:48:33 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" There is no legitimate reason why traffic from our own IP address on RED should ever appear incoming on that interface. This prevents attackers from impersonating IPFire itself, and is only cleared/reset if the RED interface is brought up. Therefore, an attacker cannot bypass this by foring a dial-up or DHCP connection to break down. Signed-off-by: Peter Müller --- src/initscripts/system/firewall | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 1c62c6e2c..9e62c0245 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -374,6 +374,17 @@ iptables_red_up() { iptables -F REDFORWARD iptables -t nat -F REDNAT + # Prohibit spoofing our own IP address on RED + if [ -f /var/ipfire/red/active ]; then + REDIP="$( cat /var/ipfire/red/local-ipaddress )"; + + if [ "$IFACE" != "" ]; then + iptables -A REDINPUT -s $REDIP -i $IFACE -j SPOOFED_MARTIAN + elif [ "$DEVICE" != "" ]; then + iptables -A REDINPUT -s $REDIP -i $DEVICE -j SPOOFED_MARTIAN + fi + fi + # PPPoE / PPTP Device if [ "$IFACE" != "" ]; then # PPPoE / PPTP From patchwork Sat Dec 18 13:48:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4928 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRyp06Dzz3wtM for ; Sat, 18 Dec 2021 13:48:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRyn4kncz4Jy; Sat, 18 Dec 2021 13:48:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRyn4K6bz2xqw; Sat, 18 Dec 2021 13:48:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRym23wgz2xXd for ; Sat, 18 Dec 2021 13:48:48 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRyl2mQGz3fh for ; Sat, 18 Dec 2021 13:48:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835327; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vgKO3nAihQtN1JQldKGZxRrUKD3IO6rywcfwxQyPe6A=; b=uA2KY1mHARltxWYtt6P85Hi0a1f/lDd19deCDDYOb43aAcSwU5MCu3Pf+9eSqo/s69PMV7 dMe7J+imZo02piBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835327; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vgKO3nAihQtN1JQldKGZxRrUKD3IO6rywcfwxQyPe6A=; b=KQ0UDvl2MnBamAKC0KXu3sCaIwaqU7S+IVG0KaXLHla4cZjz1EiAb2LLc6gxEhbAXwouvk L3L7h7jv9qnxfDJnctqVW48D+vR1X8TeAFci5iVDqr3hltroQ8crq5XHlYQ1YS+bI9ehf6 r0GzbM0K6nGbtikDHUqdMmDseUGlNCFwtNKIIYqJgVq4NfTFurv5MmA/6CEhLn2BUqXC/d c/+1+dS+GMsOqVul9ne/HNDsqT2PujRce1HZJyMllo9RwNdMcE7V8eK/RTOhXqPRTT7rSa W7OwuVlW9vhk/zR3m/4AcSFOfdV9GecU93PFI/ZvSs36KnLpuSuHymZvfRp1lQ== Subject: [PATCH 05/11] firewall: Introduce DROP_HOSTILE To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: Date: Sat, 18 Dec 2021 14:48:46 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Similar to the Location block, this chain logs and drops all traffic from and to networks known to pose technical threats to IPFire users. Doing so in a dedicated chain makes sense for transparency reasons, as we won't interfer with other firewall rules or the Location block, so it is always clear why a packet from or to such a network has been dropped. Signed-off-by: Peter Müller --- src/initscripts/system/firewall | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 9e62c0245..ebc8168ae 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -139,6 +139,20 @@ iptables_init() { iptables -t nat -N CUSTOMPOSTROUTING iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING + # Log and drop any traffic from and to networks known as being hostile, posing + # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) + if [ "$DROPHOSTILE" == "on" ]; then + iptables -N DROP_HOSTILE + iptables -A DROP_HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + + iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j DROP_HOSTILE + iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j DROP_HOSTILE + + iptables -A DROP_HOSTILE -j DROP -m comment --comment "DROP_HOSTILE" + fi + # P2PBLOCK iptables -N P2PBLOCK iptables -A INPUT -j P2PBLOCK From patchwork Sat Dec 18 13:49:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4929 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRz50pRyz3wtM for ; Sat, 18 Dec 2021 13:49:05 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRz45mCyz4Wv; Sat, 18 Dec 2021 13:49:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRz45GCNz2ydN; Sat, 18 Dec 2021 13:49:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRz35jBxz2xXd for ; Sat, 18 Dec 2021 13:49:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRz25wlbz4Wv for ; Sat, 18 Dec 2021 13:49:02 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835343; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KrKPoOvmTGLsaLuNN7IfKu8vOhfo9XZecbLeylU6Q8M=; b=PdX1rK2Np/qdIndUfd1cUKptFfZj4IMlKzTp+nbpPZA179IZK/iMNa2ycQ/FB2dSzi3kuQ AwQE2Scg43x64OAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835343; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KrKPoOvmTGLsaLuNN7IfKu8vOhfo9XZecbLeylU6Q8M=; b=HKPxLo+fUyySgOorOOGDMvjwe9FwTTox4YfYVWVv/4UtI6PJE6F2IJ8Lga0joowJWcR7GP XgX0UKzBSkfoSLvxJrEvxPPSSvaYnj60z288fWrrOUfcRPYpr+ZOuccdbPuyfdsRWNc+oA /zQ8FL5EbE5OSu2HTwswCkGQFRZ1SKRpvqLl5flxb5TNXkshnM+JDQ58oFwgEvNvgfzW8P C2nMsroD4LMnGNoIjKbr96tmJgMacTc4CY1906yTQsjW/4z+bBMwpvYOVV3xOD4B8GSFNM +t5zQdcrUaNV8kM2t/J/s8riJxdrqOtR8zu+RBoHG3IHnOv6xPDZCt+vW9k9qA== Subject: [PATCH 06/11] optionsfw.cgi: Make logging of spoofed/martians packets and the DROP_HOSTILE filter configurable To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: <78b1b9c8-cdab-7dc9-fd9f-4593d69696ea@ipfire.org> Date: Sat, 18 Dec 2021 14:49:01 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Peter Müller --- html/cgi-bin/optionsfw.cgi | 96 +++++++++++++++++++++++++++++++------- 1 file changed, 80 insertions(+), 16 deletions(-) diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 1ecf4f180..481d5bdbd 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2014-2020 IPFire Team # +# Copyright (C) 2014-2021 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -110,6 +110,12 @@ $checked{'DROPWIRELESSINPUT'}{$settings{'DROPWIRELESSINPUT'}} = "checked='checke $checked{'DROPWIRELESSFORWARD'}{'off'} = ''; $checked{'DROPWIRELESSFORWARD'}{'on'} = ''; $checked{'DROPWIRELESSFORWARD'}{$settings{'DROPWIRELESSFORWARD'}} = "checked='checked'"; +$checked{'DROPSPOOFEDMARTIAN'}{'off'} = ''; +$checked{'DROPSPOOFEDMARTIAN'}{'on'} = ''; +$checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='checked'"; +$checked{'DROPHOSTILE'}{'off'} = ''; +$checked{'DROPHOSTILE'}{'on'} = ''; +$checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'"; $checked{'DROPPROXY'}{'off'} = ''; $checked{'DROPPROXY'}{'on'} = ''; $checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'"; @@ -195,24 +201,82 @@ END
- - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
$Lang::tr{'fw logging'}
$Lang::tr{'drop newnotsyn'}$Lang::tr{'on'} / - $Lang::tr{'off'}
$Lang::tr{'drop input'}$Lang::tr{'on'} / - $Lang::tr{'off'}
$Lang::tr{'drop forward'}$Lang::tr{'on'} / - $Lang::tr{'off'}
$Lang::tr{'drop outgoing'}$Lang::tr{'on'} / - $Lang::tr{'off'}
$Lang::tr{'drop portscan'}$Lang::tr{'on'} / - $Lang::tr{'off'}
$Lang::tr{'drop wirelessinput'}$Lang::tr{'on'} / - $Lang::tr{'off'}
$Lang::tr{'drop wirelessforward'}$Lang::tr{'on'} / - $Lang::tr{'off'}
$Lang::tr{'fw logging'}
$Lang::tr{'drop newnotsyn'} + $Lang::tr{'on'} / + $Lang::tr{'off'} +
$Lang::tr{'drop input'} + $Lang::tr{'on'} / + $Lang::tr{'off'} +
$Lang::tr{'drop forward'} + $Lang::tr{'on'} / + $Lang::tr{'off'} +
$Lang::tr{'drop outgoing'} + $Lang::tr{'on'} / + $Lang::tr{'off'} +
$Lang::tr{'drop portscan'} + $Lang::tr{'on'} / + $Lang::tr{'off'} +
$Lang::tr{'drop wirelessinput'} + $Lang::tr{'on'} / + $Lang::tr{'off'} +
$Lang::tr{'drop wirelessforward'} + $Lang::tr{'on'} / + $Lang::tr{'off'} +
$Lang::tr{'drop spoofed martians'} + $Lang::tr{'on'} / + $Lang::tr{'off'} +

+ + + + + + + + +
$Lang::tr{'fw red'}
$Lang::tr{'drop hostile'} + $Lang::tr{'on'} / + $Lang::tr{'off'} +
+
+
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / From patchwork Sat Dec 18 13:49:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4930 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRzL2ld4z3wtM for ; Sat, 18 Dec 2021 13:49:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRzL08K1z4k3; Sat, 18 Dec 2021 13:49:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRzK6sLVz2y4C; Sat, 18 Dec 2021 13:49:17 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRzK0rXgz2xW7 for ; Sat, 18 Dec 2021 13:49:17 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRzJ0mpzz3fh for ; Sat, 18 Dec 2021 13:49:15 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835356; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BZ+z5091R7OP9S3s5qSYOIrWP5p7gISf5v04I0JOEIU=; b=iZ0YnN6tznmHABg8wh9rwWCHzCWd9fWjPxXLwbcbgEFOQVtAJrZisTODHlWh7cItXyXQ4V jXuYMkmqs6o7WuDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835356; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BZ+z5091R7OP9S3s5qSYOIrWP5p7gISf5v04I0JOEIU=; b=b0vHw7jydN6hf7dMYnXxWGrz2qT4f2B+GOK6YUxahrhp30zpADdynD9F3O+f4UcrKhNB+6 eyurzc/xttQyhKu+l1iIwhTS/afH3HByVYjbzA+nVw2A2skUPaVmk2lS6YK/by0MQYeXPj o2mHJ+W0BixTMcaOpZkOcD5+Z6e0KmupHEL0KU6ImTERttBUKzdJmVM7WwBO6nu9ZXa7vu JdreUEZGAQCoFiMVVLBmVNNvX5l2yjiO59SC6ssCtlDvXdaHCu6f5YgHvXWA0bt6Uk307S UBcWJWEc1TFRW1/B0ESgQNJZRjQiZ4Id41WNS7q4yFtJAgaGqg13bD9t0BPYKg== Subject: [PATCH 07/11] Update German and English translation files To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: <00a021e9-e24c-e4d6-0f00-1ae5f5ccbf29@ipfire.org> Date: Sat, 18 Dec 2021 14:49:15 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Peter Müller --- langs/de/cgi-bin/de.pl | 9 +++++++-- langs/en/cgi-bin/en.pl | 7 ++++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index c81b28fea..50829fc92 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1,4 +1,4 @@ -%tr = ( +%tr = ( %tr, '24 hours' => '24 Stunden', @@ -909,12 +909,14 @@ 'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"', 'drop action2' => 'Standardverhalten der (Input) Firewall', 'drop forward' => 'Verworfene, von der Firewall weitergeleitete Pakete protokollieren', +'drop hostile' => 'Pakete von und zu bösartigen Netzen (Spamhaus DROP-Listing, etc.) verwerfen', 'drop input' => 'Verworfene eingehende Pakete protokollieren', 'drop newnotsyn' => 'Verworfene neue Pakete ohne SYN-Markierung protokollieren (NewNotSYN)', 'drop outgoing' => 'Verworfene, von der Firewall ausgehende Pakete protokollieren', 'drop portscan' => 'Verworfene Portscan Pakete protokollieren', 'drop proxy' => 'Alle Pakete verwerfen, die nicht direkt an den Proxy gerichtet sind', 'drop samba' => 'Alle Pakete an Microsoftdienste verwerfen (Ports 135, 137, 138, 139, 445 und 1025)', +'drop spoofed martians' => 'Verworfene gefälschte Pakete und Marsianer protokollieren', 'drop wirelessforward' => 'Verworfene weitergeleitete Wireless-Pakete protokollieren', 'drop wirelessinput' => 'Verworfene eingehende Wireless-Pakete protokollieren', 'dst port' => 'Zielport', @@ -1106,7 +1108,7 @@ 'from email server' => 'Von E-Mail-Server', 'from email user' => 'Von E-Mail-Benutzer', 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig', -'fw blue' => 'Firewalloptionen für das Blaue Interface', +'fw blue' => 'Firewalloptionen für das blaue Interface', 'fw default drop' => 'Firewallrichtlinie', 'fw logging' => 'Firewallprotokollierung', 'fw settings' => 'Firewalleinstellungen', @@ -1114,6 +1116,7 @@ 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen', 'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen', 'fw settings ruletable' => 'Leere Regeltabellen anzeigen', +'fw red' => 'Firewalloptionen für das rote Interface', 'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)', 'fwdfw DROP' => 'Verwerfen (DROP)', 'fwdfw MODE1' => 'Alle Pakete verwerfen', @@ -1355,6 +1358,7 @@ 'host deny' => 'Liste der nicht Zugriffsberechtigten', 'host ip' => 'Host IP-Adresse', 'host to net vpn' => 'Host-zu-Netz Virtual Private Network (RoadWarrior)', +'hostile networks' => 'Bösartige Netze', 'hostname' => 'Hostname', 'hostname and domain already in use' => 'Hostname und Domain werden bereits benutzt.', 'hostname cant be empty' => 'Hostname darf nicht leer bleiben.', @@ -2268,6 +2272,7 @@ 'spectre variant 1' => 'Spectre-Variante 1', 'spectre variant 2' => 'Spectre-Variante 2', 'spectre variant 4' => 'Spectre-Variante 4', +'spoofed or martians' => 'Gefälscht/Marsianer', 'squid extension methods' => 'Ihre extension_methods Liste', 'squid extension methods invalid' => 'Ihre \'extension_methods\' Liste darf nur Worte aus Großbuchstaben und Ziffer enthalten, die mittels eines Leerzeichens getrennt werden.', 'squid fix cache' => 'Zwischenspeicher reparieren', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a92bb07f8..74955d20e 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1,4 +1,4 @@ -%tr = ( +%tr = ( %tr, '24 hours' => '24 Hours', @@ -934,12 +934,14 @@ 'drop action1' => 'Default behaviour of (outgoing) firewall in mode "Blocked"', 'drop action2' => 'Default behaviour of (input) firewall', 'drop forward' => 'Log dropped forward packets', +'drop hostile' => 'Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.)', 'drop input' => 'Log dropped input packets', 'drop newnotsyn' => 'Log dropped new not SYN packets', 'drop outgoing' => 'Log dropped outgoing packets', 'drop portscan' => 'Log dropped portscan packets', 'drop proxy' => 'Drop all packets not addressed to proxy', 'drop samba' => 'Drop all Microsoft ports 135,137,138,139,445,1025', +'drop spoofed martians' => 'Log dropped spoofed packets and marsians', 'drop wirelessforward' => 'Log dropped wireless forward packets', 'drop wirelessinput' => 'Log dropped wireless input packets', 'dst port' => 'Dst Port', @@ -1141,6 +1143,7 @@ 'fw settings dropdown' => 'Show all networks on rulecreation site', 'fw settings remark' => 'Show remarks in ruletable', 'fw settings ruletable' => 'Show empty ruletables', +'fw red' => 'Firewall options for RED interface', 'fwdfw ACCEPT' => 'ACCEPT', 'fwdfw DROP' => 'DROP', 'fwdfw MODE1' => 'Drop all packets', @@ -1384,6 +1387,7 @@ 'host deny' => 'list with denied hosts', 'host ip' => 'Host IP address', 'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)', +'hostile networks' => 'Hostile networks', 'hostname' => 'Hostname', 'hostname and domain already in use' => 'Hostname and domain already in use.', 'hostname cant be empty' => 'Hostname cannot be empty.', @@ -2309,6 +2313,7 @@ 'spectre variant 1' => 'Spectre Variant 1', 'spectre variant 2' => 'Spectre Variant 2', 'spectre variant 4' => 'Spectre Variant 4', +'spoofed or martians' => 'Spoofed/Martians', 'squid extension methods' => 'Your extension_methods list', 'squid extension methods invalid' => 'Your \'extension_methods\' list can only contain uppercase words of letters and digits, separated with a space. ', 'squid fix cache' => 'Repair cache', From patchwork Sat Dec 18 13:49:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4931 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGRzr4FGXz3wtM for ; Sat, 18 Dec 2021 13:49:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGRzr1LYmz14m; Sat, 18 Dec 2021 13:49:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGRzr0vBHz2ysF; Sat, 18 Dec 2021 13:49:44 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGRzq2CYkz2xqw for ; Sat, 18 Dec 2021 13:49:43 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGRzp2Wrbz145 for ; Sat, 18 Dec 2021 13:49:42 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835382; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wHRRJF0u5ZJjco8iQUMWH1s55uaHS+ftVtNEyJuUq90=; b=qppCVAxkWFa7AUgTLM5KdT3WKY/xE2GEQaU3uaFFhVBdePDJwMV8j8zMpF2VpGY4w3oFYj bC+qk8BElQtgnsCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835382; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wHRRJF0u5ZJjco8iQUMWH1s55uaHS+ftVtNEyJuUq90=; b=pyG48w0QKvJsK39ts+vxRWZlqatLdv+s5+aWhHFQI44CXDu+b3oMHBIqpzFEEYPu15GEet V/KqH4aNEa0gqfbsyyr5666SSA5dA4h9L+YknJjY7ykv5wToR8rdzc3V5aPN+GWLIkXnkx w79tc9iN0C2VUfHEpv2nkqlwpSCLqyTYk6KHRz4KHOkfcVqCkmQwo92uTrMeynp0AL63Z6 OUq+zEccZ8HopZADxlNbE3u6yre415GQOLKcHeiPPP8oFh96M61SWDtMYuEyjhGwBT1TXz T3OBNuGzthJGtpEe1OFiws491S41qVnDKe6C3pTvQfEsu19vGrcyRU5AFFb/zg== Subject: [PATCH 08/11] collectd.conf: Keep track of DROP_{HOSTILE,SPOOFED_MARTIAN} To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: Date: Sat, 18 Dec 2021 14:49:41 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Peter Müller --- config/collectd/collectd.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index 941c631c9..b80e3b785 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -51,6 +51,8 @@ include "/etc/collectd.precache" Chain filter POLICYFWD DROP_FORWARD Chain filter POLICYOUT DROP_OUTPUT Chain filter POLICYIN DROP_INPUT + Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN + Chain filter HOSTILE DROP_HOSTILE # From patchwork Sat Dec 18 13:49:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4932 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGS076g8Pz3wtM for ; Sat, 18 Dec 2021 13:49:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGS072Fkfz4my; Sat, 18 Dec 2021 13:49:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGS071nvlz2ydN; Sat, 18 Dec 2021 13:49:59 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGS062GCMz2xXd for ; Sat, 18 Dec 2021 13:49:58 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGS052MHFz4kF for ; Sat, 18 Dec 2021 13:49:57 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835397; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DPBwlzoPw6/15qbOygo0IkBk/+zDMo5jTKWK9AN+Abs=; b=Hyiad2zsfel3AhOTMZ7RMenNF6TiTjVTBki0+Sds3PMIJY/w/lfup2G1QkQv315TcjVEkJ f2tpYAs7liBKkDCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835397; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DPBwlzoPw6/15qbOygo0IkBk/+zDMo5jTKWK9AN+Abs=; b=q40a+iq3DgnJ7rhaXJFDblPKh+YMhbJj9eLV3hVWT7blWw1Zm6eYgxpklg58mop8SOlaiX duIS0U5N1aWhdwtsSLAhtJ4UhlgK8inx0a2rOAxpF/eLJsJA0XSuFqlQmBvB+cOZsn8OKC Tv5H8uJ6weZtVWmHyj/ssk4aX3r5pPOktaNyu4SY0GDVhPNJdTlGkk7UgaEXlNufIwEHrq 4bxs8Elt0lJAmtKl2tjrFwQkUAmv5mrZwnyBK2I9SjeG4wpcCUBkYU7eUfdQG3se2VN6Ag wvebp3OUJCcZwxqp1D3K3NV9c0kFXyLRIjF26dz0c25JkApmt1bOeNmLpbCvXg== Subject: [PATCH 09/11] graphs.pl: Display spoofed and hostile traffic in firewall hits diagram as well To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: Date: Sat, 18 Dec 2021 14:49:56 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Peter Müller --- config/cfgroot/graphs.pl | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index 02341eb45..b964f1e80 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -3,7 +3,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2005-2010 IPFire Team # +# Copyright (C) 2005-2021 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -106,7 +106,7 @@ foreach (@sensorsdir){ sub makegraphbox { my ($origin, $name, $default_range) = @_; - + # Optional time range: Default to "day" unless otherwise specified $default_range = "day" unless ($default_range ~~ @time_ranges); @@ -154,7 +154,7 @@ sub updatecpugraph { "COMMENT:".sprintf("%15s",$Lang::tr{'minimal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j" ); - + my $nice = "CDEF:nice="; my $interrupt = "CDEF:interrupt="; my $steal = "CDEF:steal="; @@ -164,7 +164,7 @@ sub updatecpugraph { my $iowait = "CDEF:iowait="; my $irq = "CDEF:irq="; my $addstring = ""; - + for(my $i = 0; $i < $cpucount; $i++) { push(@command,"DEF:iowait".$i."=".$mainsettings{'RRDLOG'}."/collectd/localhost/cpu-".$i."/cpu-wait.rrd:value:AVERAGE" ,"DEF:nice".$i."=".$mainsettings{'RRDLOG'}."/collectd/localhost/cpu-".$i."/cpu-nice.rrd:value:AVERAGE" @@ -184,7 +184,7 @@ sub updatecpugraph { $iowait .= "iowait".$i.","; $irq .= "irq".$i.","; } - + for(my $i = 2; $i < $cpucount; $i++) { $addstring .= "ADDNAN,"; } @@ -692,6 +692,8 @@ sub updatefwhitsgraph { "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE", "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE", "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE", + "DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE", + "DEF:hostile=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}), "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'average'}), @@ -722,6 +724,16 @@ sub updatefwhitsgraph { "GPRINT:portscan:AVERAGE:%8.1lf %sBps", "GPRINT:portscan:MIN:%8.1lf %sBps", "GPRINT:portscan:LAST:%8.1lf %sBps\\j", + "STACK:spoofedmartian".$color{"color12"}."A0:".sprintf("%-25s",$Lang::tr{'spoofed or martians'}), + "GPRINT:spoofedmartian:MAX:%8.1lf %sBps", + "GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps", + "GPRINT:spoofedmartian:MIN:%8.1lf %sBps", + "GPRINT:spoofedmartian:LAST:%8.1lf %sBps\\j", + "STACK:hostile".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks'}), + "GPRINT:hostile:MAX:%8.1lf %sBps", + "GPRINT:hostile:AVERAGE:%8.1lf %sBps", + "GPRINT:hostile:MIN:%8.1lf %sBps", + "GPRINT:hostile:LAST:%8.1lf %sBps\\j", ); $ERROR = RRDs::error; return "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR; From patchwork Sat Dec 18 13:50:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4933 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGS0S5pFrz3wtM for ; Sat, 18 Dec 2021 13:50:16 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGS0S3JNjz5F0; Sat, 18 Dec 2021 13:50:16 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGS0S2x3hz2xqw; Sat, 18 Dec 2021 13:50:16 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGS0R1tv7z2xXd for ; Sat, 18 Dec 2021 13:50:15 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGS0Q1n0lz199 for ; Sat, 18 Dec 2021 13:50:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835414; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kBk3bxs9mDl8MlPf07FYQZImZ/rAndOpHoRWiwdx7Zs=; b=pX5qlgWixKsrGHHIscDDQekz7YT48r6EWvbkD6kTB0IxzN6Ju8I55OPJjcfRfmE3WkwgFt jAFzE9nGKFef6x6vUiWvlrQ++xVGbjRk06fHL55IXe3Ykt6m+fhFTto5GTwtR6/jX71hAo X2JWLp1Z51F+4Vg5NWXI5FmcBH2CPj3KHAjo08oj7KEzrq+Kerc2iupUHVcXbavI3Q82vw N/6Mk7CO9z39Lgr9f7P1EzaHGckqGululLkX0GKzszdZYZhi38oxWESaPBhMKj3P2aRG6c o6YKdJPdXDexnJOD6t/hrq0CNpdmMJL5eKrPGMieiBDj7QwMrTZS6LIVYbP97g== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835414; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kBk3bxs9mDl8MlPf07FYQZImZ/rAndOpHoRWiwdx7Zs=; b=eq3VRE20MVhkh8RKSxCw2Jxkvi97cPx7PkNcKaR6/a/0ZMIBzPJ7cBbkEy1jDhUguUpVd5 dgEnuW2tRGS6BODw== Subject: [PATCH 10/11] configroot: Enable logging of spoofed packets/martians by default To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: <388c5d5a-91b1-619d-ae47-11b3475f7ed6@ipfire.org> Date: Sat, 18 Dec 2021 14:50:13 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Peter Müller --- lfs/configroot | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lfs/configroot b/lfs/configroot index e0156c746..4fa7aba79 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -114,7 +114,7 @@ $(TARGET) : echo "ENABLED=off" > $(CONFIG_ROOT)/vpn/settings echo "01" > $(CONFIG_ROOT)/certs/serial echo "nameserver 1.2.3.4" > $(CONFIG_ROOT)/ppp/fake-resolv.conf - echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPNEWNOTSYN=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "FWPOLICY=DROP" >> $(CONFIG_ROOT)/optionsfw/settings @@ -130,6 +130,7 @@ $(TARGET) : echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPSPOOFEDMARTIAN=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings From patchwork Sat Dec 18 13:50:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 4934 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JGS0k6pqwz3wtM for ; Sat, 18 Dec 2021 13:50:30 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JGS0k4ChCz4nS; Sat, 18 Dec 2021 13:50:30 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JGS0k3rpgz2y4C; Sat, 18 Dec 2021 13:50:30 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JGS0j4kyzz2xXd for ; Sat, 18 Dec 2021 13:50:29 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JGS0h5mC8z4k4 for ; Sat, 18 Dec 2021 13:50:28 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1639835429; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Vykz1PFRenu6Gj0omzSMW8UKPhrwrZz7TTxin+ZcJNE=; b=JO5UdAsi0MyMsWwhIwZyLX9RmR73cn85KrMyLXB29KirMglipArs5TpqSd5A5Fdk8iZOWA kjHnyRtoUzGtcLCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1639835429; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Vykz1PFRenu6Gj0omzSMW8UKPhrwrZz7TTxin+ZcJNE=; b=OTbKsbzRm8GynA441ATUjzCouhhAIC5ACHX1wdtf9F5LndgJc3yyCkTY3omiSO8hVO3/Q7 40q0+58v9XtJ7HgtSgpmgn1L4w+Tvk9BFEZN3v+E4sfOATms/7mb2f9vIegWavqzLsS42+ F13NGBHqn1w2gpHi8yu0MGGFLJTBXdo3/KOyV4MX0hHbw2Q+CjGYLf94uIDZHFl8UyNB7x RUC4lQlDxDcuXxIw6m3H+A/lvqakpZQcvM8/ATQCXqWh9cr1SbMf6+6T4G0J8J29mF9Ssz X0sbzhkaRxZTJzrpIFRsXOf4eBJEV4TsFhwStNTl6rWVLyGbtGvSORiAqk36xA== Subject: [PATCH 11/11] configroot: Drop traffic from and to hostile networks by default To: development@lists.ipfire.org References: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= Message-ID: Date: Sat, 18 Dec 2021 14:50:27 +0100 MIME-Version: 1.0 In-Reply-To: <34588df1-b2b7-9dfc-1fa4-54a2476d1d7f@ipfire.org> Content-Language: en-US X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Peter Müller --- lfs/configroot | 1 + 1 file changed, 1 insertion(+) diff --git a/lfs/configroot b/lfs/configroot index 4fa7aba79..56c0c7c8f 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -131,6 +131,7 @@ $(TARGET) : echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPSPOOFEDMARTIAN=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPHOSTILE=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings