From patchwork Fri Mar 11 14:43:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 5337 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KFTFK3lzRz3xgV for ; Fri, 11 Mar 2022 14:43:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KFTFJ38gjz17t; Fri, 11 Mar 2022 14:43:16 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KFTFJ1hQ4z2xWt; Fri, 11 Mar 2022 14:43:16 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KFTFH2GYzz2xG7 for ; Fri, 11 Mar 2022 14:43:15 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KFTFG3dtDzYl; Fri, 11 Mar 2022 14:43:14 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1647009794; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Y6A16nrHdEkyuYB/Sr7hhU2PxYwpRuKiqd9abkdjCoI=; b=wC1NBlSHSnT9APngrUv0DLQcV9gg8sf7JNPCX6q195lp6fwpcX9myzcJsPWuQRQEvy8vi0 SyeAfQXiQ3A27UDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1647009794; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Y6A16nrHdEkyuYB/Sr7hhU2PxYwpRuKiqd9abkdjCoI=; b=GFNaWRTAO/FvdCVUxlBbXL2v9rV/949EUuedjBVSi1MgsPBUgEDM3NnS6gT0WnTwMlW9Ak kzfPfUfY04813P9BOCjvhNU/rkWl/ca6akuFEbIm2GWLKW/pK2ZM6pM+GCbojrnmrsGFOw 98etMY+VIUUBcfSPK+yMdxwHTi6SGdRNJPoCBBojs8wW6sM1aOf2h/S1kxkJ8WtKUa/ip1 OlvILTvzrL+ixZwe1w4ETwzNMgD3PpNGQmcCGCly3PMyp1haNg0+06eil92GC54CEBjSxo DEzQTJJPdaHQa78WhsMkqDUP5X5vCzgbCE/dTTEo6q69PgC3GFD9+nSq6ubunw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH] firewall: Make blocking all traffic impossible on HOSTILE Date: Fri, 11 Mar 2022 14:43:11 +0000 Message-Id: <20220311144311.2642666-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" The current setup can fail and block all traffic on RED if the RETURN rules could not be created. This can happen when the kernel fails to load the ipset module, as it is the case after upgrading to a new kernel. Restarting the firewall will cause that the system is being cut off the internet. This design now changes that if those rules cannot be created, the DROP_HOSTILE feature is just inactive, but it would not disrupt any traffic. Signed-off-by: Michael Tremer Signed-off-by: Daniel Weismüller --- config/firewall/rules.pl | 12 +++--------- src/initscripts/system/firewall | 11 +++++++---- 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 57f4809b4..d71304986 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -701,15 +701,9 @@ sub drop_hostile_networks () { # Call function to load the network list of hostile networks. &ipset_restore($HOSTILE_CCODE); - # Setup rules to pass traffic which does not belong to a hostile network. - run("$IPTABLES -A HOSTILE -i $RED_DEV -m set ! --match-set $HOSTILE_CCODE src -j RETURN"); - run("$IPTABLES -A HOSTILE -o $RED_DEV -m set ! --match-set $HOSTILE_CCODE dst -j RETURN"); - - # Setup logging. - run("$IPTABLES -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix \"DROP_HOSTILE \""); - - # Drop traffic from/to hostile network. - run("$IPTABLES -A HOSTILE -j DROP -m comment --comment \"DROP_HOSTILE\""); + # Check traffic in incoming/outgoing direction and drop if it matches + run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP"); + run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP"); } sub get_protocols { diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 2c4d3163b..2a70feac2 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -262,10 +262,13 @@ iptables_init() { # Chains for networks known as being hostile, posing a technical threat to our users # (i. e. listed at Spamhaus DROP et al.) iptables -N HOSTILE - iptables -A INPUT -i $IFACE -j HOSTILE - iptables -A FORWARD -i $IFACE -j HOSTILE - iptables -A FORWARD -o $IFACE -j HOSTILE - iptables -A OUTPUT -o $IFACE -j HOSTILE + iptables -A INPUT -j HOSTILE + iptables -A FORWARD -j HOSTILE + iptables -A OUTPUT -j HOSTILE + + iptables -N HOSTILE_DROP + iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE" # Tor (inbound) iptables -N TOR_INPUT