summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2024-09-08 02:32:24 +0200
committerGuilhem Moulin <guilhem@fripost.org>2024-09-08 02:32:24 +0200
commitbc41db5237d188c339d25d96a20465e488ea5475 (patch)
tree47765c4acb8a21166435b00aa9d184543d87bf7e
parent7a36aa2b69d16b768c1e23829087d26a9e87423f (diff)
Firewall: Harden IPsec configuration by pining the reqids.
-rw-r--r--roles/common/templates/etc/ipsec.conf.j21
-rwxr-xr-xroles/common/templates/etc/nftables.conf.j229
2 files changed, 16 insertions, 14 deletions
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
index e7505b4..eaa9a08 100644
--- a/roles/common/templates/etc/ipsec.conf.j2
+++ b/roles/common/templates/etc/ipsec.conf.j2
@@ -37,6 +37,7 @@ conn {{ hostvars[host].inventory_hostname_short }}
{% endif %}
rightsigkey = {{ hostvars[host].inventory_hostname_short }}.pem
rightsubnet = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ansible.utils.ipv4 }}/32
+ reqid = {{ ipsec[ hostvars[host].inventory_hostname_short ].replace(":",".").split(".")[-1] }}
{% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %}
mobike = yes
{% endif %}
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index 805d1a8..f603ed9 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -155,16 +155,8 @@ table inet filter {
iif lo accept
- # XXX Bullseye: this is a rather crude match as nftables 0.9.0 lacks support for ipsec expressions
- # to match match inbound resp. outbound policies and source resp. destination tunnel addresses.
- # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables
- # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html
- # (We can't use marks to match post-ESP decapsulation here because that doesn't work well with UDP
- # encapsulation.) We'll also pin the reqid to the lowest address byte in ipsec.conf(5); that way
- # peers can't impersonate each other.
meta l4proto esp accept
- # ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept
- ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept
+ ip daddr {{ ipsec[inventory_hostname_short] }} jump ipsec-in
# incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already
meta l4proto { icmp, icmpv6 } counter accept
@@ -200,12 +192,8 @@ table inet filter {
oif lo accept
- # XXX Bullseye: unlike for input we can't use marks or test for
- # secpath existence here, because by the time we see a packet to
- # 172.16.0.0/24 we don't know if it'll be encapsulated
meta l4proto esp accept
- # ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} ipsec out reqid $i accept
- ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept
+ ip saddr {{ ipsec[inventory_hostname_short] }} jump ipsec-out
meta l4proto { icmp, icmpv6 } counter accept
@@ -234,4 +222,17 @@ table inet filter {
meta l4proto udp counter reject
counter reject
}
+
+ chain ipsec-in {
+{% for h in ipsec.keys() | difference([inventory_hostname_short]) | sort %}
+ ip saddr {{ ipsec[h] }} ipsec in reqid {{ ipsec[h].replace(":",".").split(".")[-1] }} counter accept
+{% endfor %}
+ log prefix "ipsec-in " drop
+ }
+ chain ipsec-out {
+{% for h in ipsec.keys() | difference([inventory_hostname_short]) | sort %}
+ ip daddr {{ ipsec[h] }} ipsec out reqid {{ ipsec[h].replace(":",".").split(".")[-1] }} counter accept
+{% endfor %}
+ log prefix "ipsec-out " drop
+ }
}