From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 632DC21F150 for ; Wed, 19 Mar 2014 13:59:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at example.com Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id A2DA11BB01; Wed, 19 Mar 2014 21:59:20 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310; t=1395262761; bh=t3MbYfhfKz7ngeY7cZjv4er5O0BAyAuGy/ol2UYCcjc=; h=From:To:Subject:Date; b=dVpkAwjMHb6CjFmtC+47aCZpdQ2vnjCkHiwUo7FcYx+2pwhroHocQycYgx4qKKnm5 DyjZLzjMfDYxzZkXKq900nTnFCK6nSBcBmB8f/T7JgmFCPwVqUZVqHzeAMfrM9oR9a G2WZwFtXhVH4wltL86huCqhgh1LwKmLvx1PK9pLQ= From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: cerowrt-devel@lists.bufferbloat.net Date: Wed, 19 Mar 2014 21:59:18 +0100 Message-ID: <87txataord.fsf@toke.dk> Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Subject: [Cerowrt-devel] BCP38 implementation X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Mar 2014 20:59:33 -0000 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable So I've hacked a bit on a BCP38 implementation for IPv4, and I think I sorta have a working prototype. I ran out of steam trying to package everything up properly, so thought I'd distribute it so that those adventurous enough to do a manual install could give some feedback. Install instructions (for 3.10.32-9 -- dunno if it will work in earlier ver= sions): 1. Get and install the bcp38 package from http://archive.tohojo.dk/cerowrt/wndr/3.10.32-9-tohojo/packages/bcp38_2-1_a= r71xx.ipk =2D- this will get you the script and it should be run from the firewall. 2. Add the following to your /etc/config/firewall, after the last 'forwarding' section: config ipset option name 'bcp38-ipv4' option family 'ipv4' option match 'dest_net' option storage 'hash' config ipset option name 'bcp38-ipv4-ingress' option external 'bcp38-ipv4' option family 'ipv4' option match 'src_net' option storage 'hash' config rule option src 'wan' option ipset 'bcp38-ipv4-ingress' option family 'ipv4' option name 'drop-bcp38-ipv4 input' option target 'DROP' option proto 'all' config rule option src 'wan' option dest '*' option ipset 'bcp38-ipv4-ingress' option family 'ipv4' option name 'drop-bcp38-ipv4' option target 'DROP' option proto 'all' config rule option dest 'wan' option ipset 'bcp38-ipv4' option name 'reject-bcp38-ipv4 output' option family 'ipv4' option target 'REJECT' option proto 'all' config rule option dest 'wan' option src '*' option ipset 'bcp38-ipv4' option name 'reject-bcp38-ipv4' option family 'ipv4' option target 'REJECT' option proto 'all' Those two steps should be enough to enable the basic mechanism. It is controlled by adding a new option to the firewall config file, in the defaults section. The option is called 'enable_bcp38'. So adding a line like: option enable_bcp38 '1' to the end of the 'defaults' at the top of /etc/config/firewall should enable the mechanism on firewall reload. Additionally, an option called bcp38_whitelist can be set to one or more CIDR style net addresses (space separated) which will be excluded from the matching. This can be used to account for double nat'ing, so if your WAN interface gets an address that would be blocked by the bcp38 rules, add it here and it should go through. To get a checkbox and a field in the firewall GUI to control this, apply the following patch to /usr/lib/lua/luci/model/cbi/firewall/zones.lua (with patch -p1; not sure if that is included in cerowrt, otherwise, just paste in the added lines manually): =2D-- a/zones.lua +++ b/zones.lua @@ -32,6 +32,12 @@ o =3D s:option(Flag, "drop_invalid", translate("Drop invalid packets")) o.default =3D o.disabled =20 +b =3D s:option(Flag, "enable_bcp38", translate("Enable BCP38 filtering")) +b.default =3D b.disabled + +bip =3D s:option(Value, "bcp38_whitelist", translate("BCP38 whitelist subn= et")) +bip:depends("enable_bcp38", "1") + p =3D { s:option(ListValue, "input", translate("Input")), s:option(ListValue, "output", translate("Output")), As I said, the basic functionality should be there, but there's some outstanding issues. Including, but not necessarily limited to: =2D Should there be a separate configuration page where the included subnets can be specified? Or is the checkbox on the firewall page sufficient? I think it logically belongs with the firewall, and indeed it is needs the firewall config rules to function, but maybe more configurability is good thing? =2D Managing the different parts of the configuration can be brittle. I.e. if the mechanism is disabled but the firewall rules are missing, or vice versa, it's not going to work. =2D Some sort of auto-detection of upstream private subnets would probably be good, unless we risk people having no access before they change the config manually. =2D Right now blocked outgoing packets get a 'destination port unreachable' -- this seems to be a hard-coded feature of the firewall script setup. Should probably be a 'destination net unreachable' instead. Anyway, comments welcome. :) =2DToke --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJTKgUmAAoJEENeEGz1+utPHgYH/iTYAM+QJj+SbojYd0xIAIsa jum/rwqLObsahNqIKhyxVVxO6D5VO4m6mPL92kAmcstG0ZY4XivSPjw3fkrff87W epj+6IE5b7WGSidC8bLvHnml0cgPyiC2jffISS5Wk8BcUoBHHLZ4WzzcNJF7lMYl WjU5K9FLZZ1JJnxcHc0yjZqnX/LQgHHGIjqrDuzPzTzihSn9kZGvGVmscCT5/EEe 5NjEZObGrSu7kWXkC1z71BC7pLdXd/iFPmW5Lxd92YFGO69irEckNnaGk+37IkLe kfeDsn81m4OG95eismBrT7lOJtCZuHxrC0/cSmgLirvA+jwdNTmdzHkI2SvmdZE= =pY5a -----END PGP SIGNATURE----- --=-=-=--