Bug #3416

ipsec tunnel: properly reject unencrypted traffic

Added by Filippo Carletti about 5 years ago. Updated about 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-ipsec
Target version:v6.8
Security class: Resolution:
Affected version:v6.8 NEEDINFO:No

Description

The firewall rule that blocks unencrypted traffic through a tunnel is too generic: it should block only traffic from one side of the tunnel to the other.
Currently, all traffic from the local lan to the remote end is blocked.


Related issues

Related to NethServer 6 - Enhancement #3393: ipsec tunnel restart blocks udp traffic CLOSED

Associated revisions

Revision 2742e01d
Added by Filippo Carletti about 5 years ago

ipsec: block traffic from selected subnets. Refs #3416

History

#1 Updated by Filippo Carletti about 5 years ago

#2 Updated by Filippo Carletti about 5 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

The firewall rule is

REJECT loc net:192.168.6.0/24

while it'd be:
REJECT loc:192.168.7.0/24 net:192.168.6.0/24

#3 Updated by Filippo Carletti about 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Filippo Carletti
  • % Done changed from 20 to 30

#4 Updated by Filippo Carletti about 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Filippo Carletti)
  • % Done changed from 30 to 60

#5 Updated by Filippo Carletti about 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

Package in nethserver-testing:
nethserver-ipsec-1.1.7-1.2.g2742e01.ns6.noarch.rpm

Test case:
see issue #3393

#6 Updated by Giacomo Sanchietti about 5 years ago

  • Assignee set to Giacomo Sanchietti

#7 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

Difference in iptables rules before and after updae:

--- before       2016-07-13 13:24:19.563404254 +0000
+++ after        2016-07-13 13:24:36.316348818 +0000
@@ -186,8 +186,10 @@
 Chain loc2net (1 references)
 target     prot opt source               destination         
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
-reject     all  --  0.0.0.0/0            11.11.11.0/24       /* reject ipsec-tunnel: t1 */ 
-reject     all  --  0.0.0.0/0            10.10.10.0/24       /* reject ipsec-tunnel: t1 */ 
+reject     all  --  192.168.5.0/24       11.11.11.0/24       /* reject ipsec-tunnel: t1 */ 
+reject     all  --  192.168.5.0/24       10.10.10.0/24       /* reject ipsec-tunnel: t1 */ 
+reject     all  --  192.168.6.0/24       11.11.11.0/24       /* reject ipsec-tunnel: t1 */ 
+reject     all  --  192.168.6.0/24       10.10.10.0/24       /* reject ipsec-tunnel: t1 */ 
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

 Chain loc_frwd (1 references)
@@ -297,7 +299,7 @@
 tcpflags   tcp  --  0.0.0.0/0            0.0.0.0/0           
 lvpn2fw    all  --  0.0.0.0/0            0.0.0.0/0           policy match dir in pol none match-set lvpn src 

-Chain reject (15 references)
+Chain reject (17 references)
 target     prot opt source               destination         
 DROP       all  --  0.0.0.0/0            0.0.0.0/0           ADDRTYPE match src-type BROADCAST 
 DROP       all  --  224.0.0.0/4          0.0.0.0/0           

#8 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
In nethserver-updates:
  • nethserver-ipsec-1.1.8-1.ns6.noarch.rpm

Also available in: Atom PDF