In order to use the highest two bits for surciata bypass, we will need
to make sure that whenever we compare any other marks, we do not care
about anything else.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This patch now proper allows to create rules for redirecting requests of a
given host, group or network(s) to a specified port or service to the
local IPFire system.
So it implements a very generic and easy to use feature to redirect
(for example all DNS, NTP, or whatever) requests to the a local running
instance and so to force usage of that local hosted service.
* The feature supports specifiying a single port and redirect the requests to another given one.
( For example requests to UDP 123 can be redirected to local UDP 1234
if you run an NTP server on that port.)
* It also supports direct usage of services or even service groups.
( So you can create a service group for DNS and redirect them to the
local recursor, or create a "redirected services" group which easily
can be managed...)
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is not necessary and gets in the way if users have SNAT rules or
other things that make the check be in the wrong place.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In order to prevent collateral damage to internal traffic, commit
c69c820025 introduced applying location
block on red0 as a sanity check.
On systems configured to use PPPoE, however, traffic appears on the ppp0
interface instead. This patch checks if a system is configured to use
this connection method, and applies the location filter to this
interface. red0 is used otherwise.
Fixes: #12519
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since libloc is built as a tree we cannot simply exclude any address
space in the middle of it. Therefore we create some firewall rules
which simply avoid checking non-globally routable address space.
Fixes: #12499
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit adds flags which will are applied if SNAT should be used on
the red address or any configured alias.
They prevent doing the SNAT when tranismitting packet through a VPN over the red interface.
Fixes#12162.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tested-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
In case a GeoIP related firewall rule should be created, the script
now will check if the given location is still available.
Fixes#12054.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Having raised the overall log rate limit to 10 packet per second
in Core Update 136, this did not affected rules generated by the
user. In order to stay consistent, this patch also raises log rate
limit for these.
In order to avoid side effects on firewalls with slow disks, it
was probably better touch these categories separately, so testing
users won't be DoSsed instantly. :-)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
When a forwarding rule is being created, we sometimes create
INPUT/OUTPUT rules, too. Those were slightly invalid because
the source and destination interfaces where passed, too.
This could render some rules in certain circumstances useless.
This patch fixes this and only adds -i for INPUT and -o for
OUTPUT rules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The special_input/output_targets array assumed that firewall access
will always be denied. However, rules also need to be created when
access is granted. Therefore the ACCEPT target needs to be included
in this list and rules must be created in INPUTFW/OUTGOINGFW too
when ACCEPT rules are created in FORWARDFW.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is a more general name for a script that will be extended
soon to do more than just add blocking rules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.
This patch has neccessary changes for the firewall-lib. While the network name of the IpSec changes
on save (subnet is added to name) we need to split the name or normalise the field before using it.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Tested-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When an on-demand VPN connection is not up, the packets will
traverse the firewall and be rejected by the IPSECBLOCK chain
which will cause that an ICMP error message will be sent to
the client. If that does not happen and the packet is being
silently dropped, the client will retransmit and by then
the VPN connection will hopefully be up.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Packets destined for the firewall coming in from the blue
device where accepted too early to be processed by the
firewall input chain rules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When creating SNAT rules, the outgoing interface is not set. As a side
effect, traffic that should be send unnatted to a vpn tunnel can be
natted which is a BUG.
With this patch the SNAT rules are getting a outgoing interface
according to the configuration. When selecting the RED Target network,
all SNAT rules will be configured with "-o red0". Otherwise if "all" is
selected, there is no interface in the rule, which matches all networks.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When upgrading from a post core-77 installation, the portforwarding
rules seem to get broken. With this patch the sourceports and the
subnetmasks from the rules are converted correctly.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If an IPsec VPN connections is not established, there are
rare cases when packets are supposed to be sent through
that said tunnel and incorrectly handled.
Those packets are sent to the default gateway an entry
for this connection is created in the connection tracking
table (usually only happens to UDP). All following packets
are sent the same route even after the tunnel has been
brought up. That leads to SIP phones not being able to
register among other things.
This patch adds firewall rules that these packets are
rejected. That will sent a notification to the client
that the tunnel is not up and avoid the connection to
be added to the connection tracking table.
Apart from a small performance penalty there should
be no other side-effects.
Fixes: #10908
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Cc: tomvend@rymes.com
Cc: daniel.weismueller@ipfire.org
Cc: morlix@morlix.de
Reviewed-by: Timo Eissler <timo.eissler@ipfire.org>
P2P networks have come a bit out of fashion. Disabling
the P2P blocker by default will save us some CPU cycles
for each packet that goes through the firewall.
The P2P blocker has also caused lots of false-positives
and has therefore become a bit more of a problem than
a solution.
This commit adds support to the rules.pl and firewall-lib.pl to generate
correct iptables commands for inserting GeoIP-based firewall rules
into the kernel.
