From: peter.mueller@ipfire.org Date: Tue, 1 Oct 2019 15:22:00 +0000 (+0000) Subject: firewall: always allow outgoing DNS traffic to root servers X-Git-Tag: v2.23-core137~133 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=70cd5c42f003292bd1ecb9e38018782679dbd01e firewall: always allow outgoing DNS traffic to root servers Allowing outgoing DNS traffic (destination port 53, both TCP and UDP) to the root servers is BCP for some reasons. First, RFC 5011 assumes resolvers are able to fetch new trust ancors from the root servers for a certain time period in order to do key rollovers. Second, Unbound shows some side effects if it cannot do trust anchor signaling (see RFC 8145) or fetch the current trust anchor, resulting in SERVFAILs for arbitrary requests a few minutes. There is little security implication of allowing DNS traffic to the root servers: An attacker might abuse this for exfiltrating data via DNS queries, but is unable to infiltrate data unless he gains control over at least one root server instance. If there is no firewall ruleset in place which prohibits any other DNS traffic than to chosen DNS servers, this patch will not have security implications at all. The second version of this patch does not use unnecessary xargs- call nor changes anything else not related to this issue. Fixes #12183 Cc: Michael Tremer Suggested-by: Horace Michael Signed-off-by: Peter Müller Acked-by: Michael Tremer Signed-off-by: Arne Fitzenreiter --- diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/core/137/filelists/files index 3a2a10a20e..b8ee805497 100644 --- a/config/rootfiles/core/137/filelists/files +++ b/config/rootfiles/core/137/filelists/files @@ -1,8 +1,9 @@ etc/system-release etc/issue srv/web/ipfire/cgi-bin/credits.cgi -usr/lib/firewall/rules.pl -usr/sbin/firewall-policy var/ipfire/langs etc/logrotate.conf +etc/rc.d/init.d/firewall srv/web/ipfire/cgi-bin/ovpnmain.cgi +usr/lib/firewall/rules.pl +usr/sbin/firewall-policy diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index ec396c708c..602bd6c5b4 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -6,6 +6,7 @@ eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) +ROOTHINTS="/etc/unbound/root.hints" IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'` if [ -f /var/ipfire/red/device ]; then @@ -307,6 +308,17 @@ iptables_init() { iptables -A INPUT -j TOR_INPUT iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT + + # Allow outgoing DNS traffic (TCP and UDP) to DNS root servers + local rootserverips="$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} )" + ipset -N root-servers iphash + + for ip in "${rootserverips[@]}"; do + ipset add root-servers $ip + done + + iptables -A OUTPUT -m set --match-set root-servers dst -p tcp --dport 53 -j ACCEPT + iptables -A OUTPUT -m set --match-set root-servers dst -p udp --dport 53 -j ACCEPT # Jump into the actual firewall ruleset. iptables -N INPUTFW