diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2020-05-18 14:28:53 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2020-05-18 14:28:57 +0200 |
| commit | f3e90041c28a74c94d06f419889691f533422c2f (patch) | |
| tree | 156dd487aad3a5ffdd84317d5de9abad6e63e2ae | |
| parent | 61ba2a2fe12ffd5578429dfe1d354a1c5d16517a (diff) | |
Firewall: note on reqid matching.
To be done when we upgrade to Bullseye for more fine-grained control.
| -rwxr-xr-x | roles/common/templates/etc/nftables.conf.j2 | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index 2261994..098a66d 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -44,43 +44,44 @@ define out-tcp-ports = { ############################################################################### flush ruleset table inet filter { # blackholes set fail2ban { type ipv4_addr; timeout 10m; } set fail2ban6 { type ipv6_addr; timeout 10m; } chain input { type filter hook input priority 0 policy drop iif lo accept # XXX Bullseye: this is a rather crude match as nftables 0.9.0 lacks support for ipsec expressions # to match match inbound resp. outbound policies and source resp. destination tunnel addresses. # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html # (We can't use marks to match post-ESP decapsulation here because that doesn't work well with UDP - # encapsulation.) + # encapsulation.) We'll also pin the reqid to the lowest address byte in ipsec.conf(5); that way + # peers can't impersonate each other. meta l4proto esp accept - # ipsec in ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} accept + # ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept # rate-limiting is done directly by the kernel (net.ipv4.icmp_{ratelimit,ratemask} runtime options) icmp type { echo-reply, echo-request, destination-unreachable } counter accept icmpv6 type { echo-reply, echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } counter accept # accept neighbour discovery for autoconfiguration, RFC 4890 sec. 4.4.1 icmpv6 type { 133,134,135,136,141,142 } ip6 hoplimit 255 counter accept jump martian jump invalid udp sport 123 udp dport 123 ct state related,established accept {% if groups.all | length > 1 %} udp sport 500 udp dport 500 ct state new,related,established accept {% if groups.NATed | length > 0 %} udp sport 4500 udp dport 4500 ct state new,related,established accept {% endif %} {% endif %} @@ -93,41 +94,41 @@ table inet filter { {% endif %} meta l4proto tcp ip saddr @fail2ban counter drop meta l4proto tcp ip6 saddr @fail2ban6 counter drop tcp dport $in-tcp-ports ct state related,established accept tcp dport $in-tcp-ports ct state new counter accept tcp sport $out-tcp-ports ct state related,established accept } chain output { type filter hook output priority 0 policy drop oif lo accept # XXX Bullseye: unlike for input we can't use marks or test for # secpath existence here, because by the time we see a packet to # 172.16.0.0/24 we don't know if it'll be encapsulated meta l4proto esp accept - # ipsec out ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept + # ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} ipsec out reqid $i accept ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept meta l4proto { icmp, icmpv6 } accept jump martian jump invalid udp sport 123 udp dport 123 ct state new,related,established accept {% if groups.all | length > 1 %} udp sport 500 udp dport 500 ct state new,related,established accept {% if groups.NATed | length > 0 %} udp sport 4500 udp dport 4500 ct state new,related,established accept {% endif %} {% endif %} udp dport 53 ct state new,related,established accept tcp dport 53 ct state new,related,established accept {% if 'dhclient' in group_names %} ip version 4 udp sport 68 udp dport 67 ct state new,related,established accept ip6 version 6 udp sport 546 udp dport 547 ct state new,related,established accept |