diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2024-09-08 02:32:24 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2024-09-08 02:32:24 +0200 |
commit | bc41db5237d188c339d25d96a20465e488ea5475 (patch) | |
tree | 47765c4acb8a21166435b00aa9d184543d87bf7e | |
parent | 7a36aa2b69d16b768c1e23829087d26a9e87423f (diff) |
Firewall: Harden IPsec configuration by pining the reqids.
-rw-r--r-- | roles/common/templates/etc/ipsec.conf.j2 | 1 | ||||
-rwxr-xr-x | roles/common/templates/etc/nftables.conf.j2 | 29 |
2 files changed, 16 insertions, 14 deletions
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2 index e7505b4..eaa9a08 100644 --- a/roles/common/templates/etc/ipsec.conf.j2 +++ b/roles/common/templates/etc/ipsec.conf.j2 @@ -37,6 +37,7 @@ conn {{ hostvars[host].inventory_hostname_short }} {% endif %} rightsigkey = {{ hostvars[host].inventory_hostname_short }}.pem rightsubnet = {{ ipsec[ hostvars[host].inventory_hostname_short ] | ansible.utils.ipv4 }}/32 + reqid = {{ ipsec[ hostvars[host].inventory_hostname_short ].replace(":",".").split(".")[-1] }} {% if 'NATed' not in group_names and 'NATed' in hostvars[host].group_names %} mobike = yes {% endif %} diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index 805d1a8..f603ed9 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -155,16 +155,8 @@ table inet filter { iif lo accept - # XXX Bullseye: this is a rather crude match as nftables 0.9.0 lacks support for ipsec expressions - # to match match inbound resp. outbound policies and source resp. destination tunnel addresses. - # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables - # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html - # (We can't use marks to match post-ESP decapsulation here because that doesn't work well with UDP - # encapsulation.) We'll also pin the reqid to the lowest address byte in ipsec.conf(5); that way - # peers can't impersonate each other. meta l4proto esp accept - # ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept - ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept + ip daddr {{ ipsec[inventory_hostname_short] }} jump ipsec-in # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already meta l4proto { icmp, icmpv6 } counter accept @@ -200,12 +192,8 @@ table inet filter { oif lo accept - # XXX Bullseye: unlike for input we can't use marks or test for - # secpath existence here, because by the time we see a packet to - # 172.16.0.0/24 we don't know if it'll be encapsulated meta l4proto esp accept - # ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} ipsec out reqid $i accept - ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept + ip saddr {{ ipsec[inventory_hostname_short] }} jump ipsec-out meta l4proto { icmp, icmpv6 } counter accept @@ -234,4 +222,17 @@ table inet filter { meta l4proto udp counter reject counter reject } + + chain ipsec-in { +{% for h in ipsec.keys() | difference([inventory_hostname_short]) | sort %} + ip saddr {{ ipsec[h] }} ipsec in reqid {{ ipsec[h].replace(":",".").split(".")[-1] }} counter accept +{% endfor %} + log prefix "ipsec-in " drop + } + chain ipsec-out { +{% for h in ipsec.keys() | difference([inventory_hostname_short]) | sort %} + ip daddr {{ ipsec[h] }} ipsec out reqid {{ ipsec[h].replace(":",".").split(".")[-1] }} counter accept +{% endfor %} + log prefix "ipsec-out " drop + } } |