firewall: Filter only on RED and exclude any private address space

Since libloc is built as a tree we cannot simply exclude any address
space in the middle of it. Therefore we create some firewall rules
which simply avoid checking non-globally routable address space.

Fixes: #12499
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index cad53a1d794a751b5f52be5eab8135f7c4dce9b6..c2641a92d327be59531dd44a461ac8cc06f5786c 100644 (file)
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -48,6 +48,13 @@ my @PROTOCOLS_WITH_PORTS = ("tcp", "udp");
 
 my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT");
 
+my @PRIVATE_NETWORKS = (
+       "10.0.0.0/8",
+       "172.16.0.0/12",
+       "192.168.0.0/16",
+       "100.64.0.0/10",
+);
+
 my %fwdfwsettings=();
 my %fwoptions = ();
 my %defaultNetworks=();
@@ -621,6 +628,16 @@ sub locationblock {
                return;
        }
 
+       # Only check the RED interface
+       if ($defaultNetworks{'RED_DEV'} ne "") {
+               run("$IPTABLES -A LOCATIONBLOCK ! -i $defaultNetworks{'RED_DEV'} -j RETURN");
+       }
+
+       # Do not check any private address space
+       foreach my $network (@PRIVATE_NETWORKS) {
+               run("$IPTABLES -A LOCATIONBLOCK -s $network -j RETURN");
+       }
+
        # Loop through all supported locations and
        # create iptables rules, if blocking for this country
        # is enabled.

diff --git a/config/rootfiles/core/151/filelists/files b/config/rootfiles/core/151/filelists/files
index 8223d97de547c890b7b67be1b5995e42532be935..9910e1bf94c59c37944785a97de6d1077a7190c9 100644 (file)
--- a/config/rootfiles/core/151/filelists/files
+++ b/config/rootfiles/core/151/filelists/files
@@ -10,6 +10,7 @@ srv/web/ipfire/cgi-bin/ipinfo.cgi
 srv/web/ipfire/cgi-bin/pakfire.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 usr/bin/probenic.sh
+usr/lib/firewall/rules.pl
 usr/local/bin/ipsecctrl
 var/ipfire/general-functions.pl
 var/ipfire/langs