From 4702cbf332b8e7a925097f91fd516b21947002b4 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 8 Jun 2022 03:01:20 +0200 Subject: [PATCH] update roles/modify-ipt-gateway-ro/tasks/main.yml .. --- roles/modify-ipt-gateway-ro/tasks/main.yml | 234 ++++++++++++++++----- 1 file changed, 179 insertions(+), 55 deletions(-) diff --git a/roles/modify-ipt-gateway-ro/tasks/main.yml b/roles/modify-ipt-gateway-ro/tasks/main.yml index d2b3c5e..bd56eb2 100644 --- a/roles/modify-ipt-gateway-ro/tasks/main.yml +++ b/roles/modify-ipt-gateway-ro/tasks/main.yml @@ -108,95 +108,219 @@ notify: - Restart IPv6 Firewall +- name: addjust line 'adjust_kernel_parameters' (IPv6) + lineinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + regexp: '^adjust_kernel_parameters=' + line: '#adjust6_kernel_parameters=true' + when: + - main_ipv6_exists.stat.exists + notify: + - Restart IPv6 Firewall + +- name: addjust line 'protect_against_several_attack' (IPv6) + lineinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + regexp: '^protect_against_several_attacks=' + line: '#protect6_against_several_attacks=true' + when: + - main_ipv6_exists.stat.exists + notify: + - Restart IPv6 Firewall + # --- -# Allow local services from ALL extern netwoks +# Block Routers # --- -- name: Check if String 'allow_all_ext_traffic_to_local_service..' (IPv4) is present - shell: grep -q -E "^allow_all_ext_traffic_to_local_service=" /ro/etc/ipt-firewall/main_ipv4.conf - register: allow_all_ext_traffic_to_local_service_ipv4_present +- name: Check if String 'drop_syn_flood..' (IPv4) is present + shell: grep -q -E "^#?drop_syn_flood=" /ro/etc/ipt-firewall/main_ipv4.conf + register: drop_syn_flood_ipv4_present when: main_ipv4_exists.stat.exists - failed_when: "allow_all_ext_traffic_to_local_service_ipv4_present.rc > 1" - changed_when: "allow_all_ext_traffic_to_local_service_ipv4_present.rc > 0" + failed_when: "drop_syn_flood_ipv4_present.rc > 1" + changed_when: "drop_syn_flood_ipv4_present.rc > 0" -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (allow_all_ext_traffic_to_local_service) +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (drop_syn_flood) blockinfile: path: /ro/etc/ipt-firewall/main_ipv4.conf - insertafter: '^#?\s*any_access_from_inet_networks' + insertafter: '^#?\s*protect_against_several_attacks=true' block: | - # ============= - # - Allow local services from ALL extern netwoks - # ============= + # Protection against syn-flooding + # + #drop_syn_flood=false - # - allow_all_ext_traffic_to_local_service + # - I have to say that fragments scare me more than anything. + # - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" + # - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such + # - fragments is very OS-dependent (see this paper for details). + # - I am not going to trust any fragments. + # - Log fragments just to see if we get any, and deny them too # - - # - allow_all_ext_traffic_to_local_service="local-address:port:protocol [local-address:port:protocol] .." + # - !! 'drop_fragments' does not work within telekom mobile connections !! # - - # - Note: - # - ===== - # - - Only 'tcp' and 'udp' are allowed valuse for protocol. - # - - # - Example: - # - allow extern traffic to service at 83.223.73.210 on port 1036 - # - allow extern traffic to https service at 83.223.73.204 - # - - # - allow_ext_net_to_local_service=" - # - 83.223.73.210:1036:tcp - # - 83.223.73.204:$standard_https_port:tcp - # - " - # - - # - Blank separated list - # - - allow_all_ext_traffic_to_local_service="" - marker: "# Marker set by modify-ipt-gateway.yml (allow_all_ext_traffic_to_local_service)" + #drop_fragments=true + + # drop new packages without syn flag + # + #drop_new_not_sync=true + + # drop invalid packages + # + #drop_invalid_state=true + + # drop packages with unusal flags + # + #drop_invalid_flags=true + + # Refuse private addresses on extern interfaces + # + # Refuse packets claiming to be from a + # Class A private network + # Class B private network + # Class C private network + # loopback interface + # Class D multicast address + # Class E reserved IP address + # broadcast address + #drop_spoofed=true + + # Don't allow spoofing from that server + # + #drop_spoofed_out=true + + # Refusing packets claiming to be to the loopback interface protects against + # source quench, whereby a machine can be told to slow itself down by an icmp source + # quench to the loopback. + #drop_ext_to_lo=true + marker: "# Marker set by modify-ipt-gateway.yml (drop_syn_flood)" when: - main_ipv4_exists.stat.exists - - allow_all_ext_traffic_to_local_service_ipv4_present is changed + - drop_syn_flood_ipv4_present is changed -- name: Check if String 'allow_all_ext_traffic_to_local_service..' (IPv6) is present - shell: grep -q -E "^allow_all_ext_traffic_to_local_service=" /ro/etc/ipt-firewall/main_ipv6.conf - register: allow_all_ext_traffic_to_local_service_ipv6_present +- name: Check if String 'drop6_syn_flood..' (IPv6) is present + shell: grep -q -E "^#?drop6_syn_flood=" /ro/etc/ipt-firewall/main_ipv6.conf + register: drop6_syn_flood_ipv6_present when: main_ipv6_exists.stat.exists - failed_when: "allow_all_ext_traffic_to_local_service_ipv6_present.rc > 1" - changed_when: "allow_all_ext_traffic_to_local_service_ipv6_present.rc > 0" + failed_when: "drop6_syn_flood_ipv6_present.rc > 1" + changed_when: "drop6_syn_flood_ipv6_present.rc > 0" -- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (allow_all_ext_traffic_to_local_service) +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (drop6_syn_flood) blockinfile: path: /ro/etc/ipt-firewall/main_ipv6.conf - insertafter: '^#?\s*any_access_from_inet_networks' + insertafter: '^#?\s*protect6_against_several_attacks=true' + block: | + + # Protection against syn-flooding + # + #drop6_syn_flood=false + + # drop new packages without syn flag + # + #drop6_new_not_sync=true + + # drop invalid packages + # + #drop6_invalid_state=true + + # drop packages with unusal flags + # + #drop6_invalid_flags=true + + # Refuse spoofed packets pretending to be from your IP address. + # + #drop6_from_own_ip=true + + # Refuse private addresses on extern interfaces + # + #drop6_spoofed=true + marker: "# Marker set by modify-ipt-gateway.yml (drop6_syn_flood)" + when: + - main_ipv6_exists.stat.exists + - drop6_syn_flood_ipv6_present is changed + + +# --- +# Block UDP/TCP Ports out +# --- + +- name: Check if String 'block_udp_extern_out_ports..' (IPv4) is present + shell: grep -q -E "^block_udp_extern_out_ports=" /ro/etc/ipt-firewall/main_ipv4.conf + register: block_udp_extern_out_ports_ipv4_present + when: main_ipv4_exists.stat.exists + failed_when: "block_udp_extern_out_ports_ipv4_present.rc > 1" + changed_when: "block_udp_extern_out_ports_ipv4_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv4.conf' (block_udp_extern_out_ports) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv4.conf + insertafter: '^#?\s*block_upnp_traffic_out' block: | # ============= - # - Allow local services from ALL extern netwoks + # --- Block UDP Ports out # ============= - # - allow_all_ext_traffic_to_local_service + # - UDP Ports to block (only extern out) # - - # - allow_all_ext_traffic_to_local_service="local-address,port,protocol [local-address,port,protocol] .." + # - Comma separated list of udp ports # - - # - Note: - # - ===== - # - - Only 'tcp' and 'udp' are allowed valuse for protocol. + block_udp_extern_out_ports="" + + + # ============= + # --- Block TCP Ports out + # ============= + + # - TCP Ports to block (only extern out) # - - # - Example: - # - allow extern traffic to service at 2a01:30:1fff:fd00::210 on port 1036 - # - allow extern traffic to https service at 2a01:30:1fff:fd00::204 + # - Comma separated list of tcp ports # - - # - allow_ext_net_to_local_service=" - # - 2a01:30:1fff:fd00::210,1036,tcp - # - 2a01:30:1fff:fd00::204,$standard_https_port,tcp - # - " + block_tcp_extern_out_ports="" + marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)" + when: + - main_ipv4_exists.stat.exists + - block_udp_extern_out_ports_ipv4_present is changed + +- name: Check if String 'block_udp_extern_out_ports..' (IPv6) is present + shell: grep -q -E "^block_udp_extern_out_ports=" /ro/etc/ipt-firewall/main_ipv6.conf + register: block_udp_extern_out_ports_ipv6_present + when: main_ipv6_exists.stat.exists + failed_when: "block_udp_extern_out_ports_ipv6_present.rc > 1" + changed_when: "block_udp_extern_out_ports_ipv6_present.rc > 0" + +- name: Adjust file '/ro/etc/ipt-firewall/main_ipv6.conf' (block_udp_extern_out_ports) + blockinfile: + path: /ro/etc/ipt-firewall/main_ipv6.conf + insertafter: '^#?\s*block_upnp_traffic_out' + block: | + + + # ============= + # --- Block UDP Ports out + # ============= + + # - UDP Ports to block (only extern out) # - - # - Blank separated list + # - Comma separated list of udp ports # - - allow_all_ext_traffic_to_local_service="" - marker: "# Marker set by modify-ipt-gateway.yml (allow_all_ext_traffic_to_local_service)" + block_udp_extern_out_ports="" + + + # ============= + # --- Block TCP Ports out + # ============= + + # - TCP Ports to block (only extern out) + # - + # - Comma separated list of tcp ports + # - + block_tcp_extern_out_ports="" + marker: "# Marker set by modify-ipt-gateway.yml (block_udp_extern_out_ports)" when: - main_ipv6_exists.stat.exists - - allow_all_ext_traffic_to_local_service_ipv6_present is changed + - block_udp_extern_out_ports_ipv6_present is changed