From: Julian Orth <ju.orth@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: CVE-2019-14899 and iifname-based firewall
Date: Thu, 5 Dec 2019 19:13:05 +0100 [thread overview]
Message-ID: <229e17a6-9a78-d1a7-0278-81d4ee46e1c3@gmail.com> (raw)
Hello list, hello Jason,
I'm using the following nftables rules:
table inet filter {
chain input {
type filter hook input priority filter
ct state { established, related } accept
[...]
iifname "wg0" accept
udp dport 51820 accept
[...]
reject
}
}
After reading about CVE-2019-14899 I'm unsure if this allows an attacker
to injects packets into tcp connections.
If so, what is the best way to prevent this? Is setting rp_filter=1
sufficient?
Independently of the CVE I want to confirm if my firewall rules do what
I want them to do.
The nftables rules above are based on the following paragraph from
wireguard.com:
>[...] system administrators do not need complicated firewall
>extensions [...] but rather they can simply match on "is it from this
>IP? on this interface?", and be assured that it is a secure and
>authentic packet
Is this idea correctly represented by the rule "iifname wg0 accept"?
(I'm intentionally accepting connections from all peers in this case.)
Thank you
Julian
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
reply other threads:[~2019-12-05 18:13 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=229e17a6-9a78-d1a7-0278-81d4ee46e1c3@gmail.com \
--to=ju.orth@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).