* CVE-2019-14899 and iifname-based firewall
@ 2019-12-05 18:13 Julian Orth
0 siblings, 0 replies; only message in thread
From: Julian Orth @ 2019-12-05 18:13 UTC (permalink / raw)
To: wireguard
Hello list, hello Jason,
I'm using the following nftables rules:
table inet filter {
chain input {
type filter hook input priority filter
ct state { established, related } accept
[...]
iifname "wg0" accept
udp dport 51820 accept
[...]
reject
}
}
After reading about CVE-2019-14899 I'm unsure if this allows an attacker
to injects packets into tcp connections.
If so, what is the best way to prevent this? Is setting rp_filter=1
sufficient?
Independently of the CVE I want to confirm if my firewall rules do what
I want them to do.
The nftables rules above are based on the following paragraph from
wireguard.com:
>[...] system administrators do not need complicated firewall
>extensions [...] but rather they can simply match on "is it from this
>IP? on this interface?", and be assured that it is a secure and
>authentic packet
Is this idea correctly represented by the rule "iifname wg0 accept"?
(I'm intentionally accepting connections from all peers in this case.)
Thank you
Julian
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-12-05 18:13 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-05 18:13 CVE-2019-14899 and iifname-based firewall Julian Orth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).