search

arno-iptables-firewall / aif

GNU General Public License v2.0
151 stars 24 forks source link

changed: Disable fragment dropping (and logging) by default and move … #60

Closed arnova closed 5 years ago

arnova commented 5 years ago

…it to a single place for INPUT, FORWARD and OUTPUT

arnova commented 5 years ago

@abelbeck : Lonnie, also packet defragmentation is bugged in (some versions of) nftables. Not so long ago we already had a discussion about packet defragmentation. I think it's safe if we turn this off by default, right?

abelbeck commented 5 years ago

@arnova The problem with the -f option was with the real iptables 1.8.1, fixed in 1.8.2. See Issue #53 .

I'm not yet convinced we have an issue with handling packet invalid-fragments.

Hooking in on VALID_CHK and OUTPUT seems correct, possibly only OUTPUT to protect other devices.

I vote holding off on this change until more research is done to justify a change.

arnova commented 5 years ago

@abelbeck : Yes, it also caused a problem with the "real" iptables, but with nftables emulation it's also broken. As it turns out -f converts to "ip frag-off & 65311 != 0", where it should (just) be "ip frag-off != 0". So yes, another problem in nftables. However, the reporter says that with this fix (and the others already in mainline) all problems he previously had are gone.

abelbeck commented 5 years ago

However, the reporter says that with this fix (and the others already in mainline) all problems he previously had are gone.

Good to hear.

abelbeck commented 5 years ago

@arnova Short answer, I think we can remove all -f -j DROP because of our connection tracking.

Details... looking at:

-A VALID_CHK -m conntrack --ctstate INVALID -j POST_INPUT_DROP_CHAIN
-A VALID_CHK -f -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "AIF:Fragment packet: "
-A VALID_CHK -f -j DROP

I don't see how a -f packet could match after the -m conntrack --ctstate INVALID rule, do you ?

I looked at the kernel source for insight: https://elixir.bootlin.com/linux/v3.16.62/source/net/netfilter/xt_conntrack.c#L181 https://elixir.bootlin.com/linux/v3.16.62/source/net/netfilter/xt_state.c#L32 basically if a packet is not added to the conntrack list it is invalid.

The only other occurrence is with -A OUTPUT -f -j DROP which would require malicious code running on the AIF box to generate outbound invalid-fragment packets, agree ?