Drop traffic to localhost that does not originate from lo

adrelanos / vpn-firewall

Leak Protection (Fail Safe Mechanism) for (Open)VPN

https://www.whonix.org/wiki/Impressum

Other

169 stars 46 forks source link

Drop traffic to localhost that does not originate from lo #39

Closed ghost closed 6 years ago

ghost commented 6 years ago

Prevents spoofing

adrelanos commented 6 years ago

Interesting! Did you see this recommended anywhere or used ever anywhere else?

Could / should we log this so we notice in case we break anything?

How to test this? Any examples causing such traffic?

//cc @marmarek What do you think? If this is useful, we should also use it for Whonix and maybe even Qubes?

adrelanos commented 6 years ago

If we are going to use this, we also need this for IPv6, right?

marmarek commented 6 years ago

This is done by default by "rp_filter" (reverse-path filter), unless disabled by writing 0 to /proc/sys/net/ipv4/conf/all/rp_filter. It is simple mechanism that filter packets based on their source addresses and route table. So, route table entry of 127.0.0.0/8 dev lo is enough.

marmarek commented 6 years ago

For IPv6 apparently this needs to be done at ip6tables level, using rpfilter match.

ghost commented 6 years ago

I agree, it should be left to /proc/sys/net/ipv4/conf/all/rp_filter setting. However I don't know if touching sysctls should be in scope of this project.

In IPv6 case as I can't test I'm not touching it.