From: Lonnie Abelbeck <lists@lonnie.abelbeck.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: "William J. Tolley" <william@breakpointingbad.com>,
WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"
Date: Sat, 7 Dec 2019 14:51:40 -0600 [thread overview]
Message-ID: <EA649C00-DEF2-464F-A5DF-9A81FA6FB5C4@lonnie.abelbeck.com> (raw)
In-Reply-To: <CAHmME9pTt2MPH3gxks8S=3hVKS6P2XFkJd5eT7uivsoK7QPMJg@mail.gmail.com>
> On Dec 6, 2019, at 9:18 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Hi Vasili,
>
> On Thu, Dec 5, 2019 at 10:28 PM Vasili Pupkin <diggest@gmail.com> wrote:
>> I've just figured out that the same effect can also be achieved with
>> iptables:
>> iptables -t filter -I INPUT -m addrtype --limit-iface-in ! --dst-type
>> LOCAL -j DROP
>
> Neat trick, but it still requires this to run on all incoming packets
> from all interfaces, right? In other words, it enables a strong host
> model for the whole system instead of just with regards to addresses
> "owned" by the WireGuard interface. Adding support for the latter
> would get us back to the original rule we're using right now, right?
For what its worth, if some sort of basic firewall with conntrack is enabled, Step 1 of the attack is blocked with a "ctstate INVALID" rule.
Per testing in the lab, using attack "nping --tcp --flags SA ..."
For Example, VALID_CHK in the (external facing) INPUT and FORWARD chains:
--
-A VALID_CHK -m conntrack --ctstate INVALID -j DROP
--
for both iptables and ip6tables filter tables.
Is it common some sort of basic firewall with conntrack is not enabled ?
Lonnie
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-12-07 20:52 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-05 19:13 Jason A. Donenfeld
2019-12-05 19:50 ` Vasili Pupkin
2019-12-05 20:24 ` Jason A. Donenfeld
2019-12-05 21:28 ` Vasili Pupkin
2019-12-06 15:18 ` Jason A. Donenfeld
2019-12-06 17:21 ` Vasili Pupkin
2019-12-07 20:51 ` Lonnie Abelbeck [this message]
2019-12-06 12:58 ` William J. Tolley
2019-12-06 15:06 ` Jordan Glover
2019-12-06 15:08 ` Jason A. Donenfeld
2019-12-06 16:03 ` Vasili Pupkin
2019-12-06 16:12 ` Jordan Glover
2019-12-06 17:06 ` Vasili Pupkin
2019-12-05 20:10 ` zrm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=EA649C00-DEF2-464F-A5DF-9A81FA6FB5C4@lonnie.abelbeck.com \
--to=lists@lonnie.abelbeck.com \
--cc=Jason@zx2c4.com \
--cc=william@breakpointingbad.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).