fw4: do not allow setting ports for non-TCP or -UDP rules and redirects #42
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
hmm nice catch ... What about "assume tcp udp when no protocol is set"? |
Currently, it is possible to set source and destination ports for 'proto' like 'all' or 'icmp', although only 'tcp' and 'udp' ports are converted into the nftables ruleset. While this might not be a problem for a protocol like ICMP, there is a security risk when the user specifies 'all', because then the rule/redirect applies to all L4 ports, including TCP and UDP, regardless if the user sets specific ports. This commit checks for rules and redirects that if any port was set the protocol must be TCP and/or UDP. If not, the user will be informed via a warning, and the rule/redirect will be ignored. Should the protocol be 'all', it is automatically corrected to TCP and UDP by the ucode function ensure_tcpudp. Signed-off-by: Til Kaiser <[email protected]>
Thanks for the hint! I just noticed there is already a convenient
Doesn't seem to be possible, if I enter |
|
|
Original accounts portless protos. |
brada4
approved these changes
Jan 10, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, it is possible to set source and destination ports for
protolikealloricmp, although onlytcpandudpports are converted into thenftablesruleset.While this might not be a problem for a protocol like
ICMP, there is a security risk when the user specifiesall, because then the rule/redirect applies to all L4 ports, includingTCPandUDP, regardless if the user sets specific ports.This commit checks for rules and redirects that if any port was set the protocol must be
TCPand/orUDP. If not, the user will be informed via a warning, and the rule/redirect won't be applied. Should the protocol beall, it is automatically correctedto
TCPandUDPby theucodefunctionensure_tcpudp.Here are two examples for an input and a DNAT rule:
config rule option name 'Rule-Test' option src 'wan' option dest_port '22' option proto 'all' option target 'ACCEPT' config redirect option name 'DNAT-Test' option src 'wan' option src_dport '22222' option dest 'lan' option dest_ip '192.168.1.2' option dest_port '22' option proto 'all' option target 'DNAT'Resulting into the following
nftablesrules:chain input_wan { counter packets 0 bytes 0 accept comment "!fw4: Rule-Test" ct status dnat accept comment "!fw4: Accept port redirections" jump reject_from_wan } chain dstnat_wan { meta nfproto ipv4 counter packets 0 bytes 0 dnat ip to 192.168.1.2 comment "!fw4: DNAT-Test" }The input rule ignores the destination port and, therefore, accepts any incoming traffic, while the DNAT rule redirects any IPv4 traffic to the given destination IP
192.168.1.2, ignoring any port settings.