firewall: Prevent spoofing our own RED IP address

There is no legitimate reason why traffic from our own IP address on RED
should ever appear incoming on that interface.

This prevents attackers from impersonating IPFire itself, and is only
cleared/reset if the RED interface is brought up. Therefore, an attacker
cannot bypass this by foring a dial-up or DHCP connection to break down.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 1c62c6e2cd593ead372ab9b7897dfa2849b1de7f..9e62c0245cd6b8965c94a5e8832f9b7b4cdae850 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -374,6 +374,17 @@ iptables_red_up() {
        iptables -F REDFORWARD
        iptables -t nat -F REDNAT
 
+       # Prohibit spoofing our own IP address on RED
+       if [ -f /var/ipfire/red/active ]; then
+               REDIP="$( cat /var/ipfire/red/local-ipaddress )";
+
+               if [ "$IFACE" != "" ]; then
+                       iptables -A REDINPUT -s $REDIP -i $IFACE -j SPOOFED_MARTIAN
+               elif [ "$DEVICE" != "" ]; then
+                       iptables -A REDINPUT -s $REDIP -i $DEVICE -j SPOOFED_MARTIAN
+               fi
+       fi
+
        # PPPoE / PPTP Device
        if [ "$IFACE" != "" ]; then
                # PPPoE / PPTP