diff options
Diffstat (limited to 'meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch')
| -rw-r--r-- | meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch b/meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch new file mode 100644 index 000000000..f9c387a45 --- /dev/null +++ b/meta-networking/recipes-connectivity/ufw/ufw/0010-empty-out-IPT_MODULES-and-update-documentation.patch @@ -0,0 +1,106 @@ +empty our IPT_MODULES and update documentation + +empty out IPT_MODULES and update documentation regarding modern use of +connection tracking modules. + +Patch from git://git.launchpad.net/ufw +Commit aefb842b73726c245157096fb8992c3e82833147 + +Written by Jamie Strandboge <jamie@ubuntu.com> + +Merged patch so they applied to 0.33 with missing code. Unit tests are not +in this version. + +Upstream-Status: Backport +Signed-off-by: Jate Sujjavanich <jatedev@gmail.com> + + +diff --git a/conf/ufw.defaults b/conf/ufw.defaults +index 330ad88..b3eba8f 100644 +--- a/conf/ufw.defaults ++++ b/conf/ufw.defaults +@@ -34,12 +34,13 @@ MANAGE_BUILTINS=no + # only enable if using iptables backend + IPT_SYSCTL=#CONFIG_PREFIX#/ufw/sysctl.conf + +-# Extra connection tracking modules to load. Complete list can be found in +-# net/netfilter/Kconfig of your kernel source. Some common modules: ++# Extra connection tracking modules to load. IPT_MODULES should typically be ++# empty for new installations and modules added only as needed. See ++# 'CONNECTION HELPERS' from 'man ufw-framework' for details. Complete list can ++# be found in net/netfilter/Kconfig of your kernel source. Some common modules: + # nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support + # nf_conntrack_netbios_ns: NetBIOS (samba) client support + # nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT + # nf_conntrack_ftp, nf_nat_ftp: active FTP support + # nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side) +-IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" +- ++IPT_MODULES="" + +diff --git a/doc/ufw-framework.8 b/doc/ufw-framework.8 +index eef28e1..97dc8c5 100644 +--- a/doc/ufw-framework.8 ++++ b/doc/ufw-framework.8 +@@ -115,5 +115,10 @@ IPT_MODULES in #CONFIG_PREFIX#/default/ufw. Some popular modules to load are: + nf_conntrack_tftp + nf_nat_tftp ++.PP ++Unconditional loading of connection tracking modules (nf_conntrack_*) in this ++manner is deprecated. \fBufw\fR continues to support the functionality but new ++configuration should only contain the specific modules required for the site. ++For more information, see CONNECTION HELPERS. + + .SH "KERNEL PARAMETERS" + .PP +@@ 240,5 +245,50 @@ Add the necessary \fBufw\fR rules: + # ufw allow in on eth1 from 10.0.0.100 to any port 22 proto tcp + ++.SH "CONNECTION HELPERS" ++.PP ++Various protocols require the use of netfilter connection tracking helpers to ++group related packets into RELATED flows to make rulesets clearer and more ++precise. For example, with a couple of kernel modules and a couple of rules, a ++ruleset could simply allow a connection to FTP port 21, then the kernel would ++examine the traffic and mark the other FTP data packets as RELATED to the ++initial connection. ++.PP ++When the helpers were first introduced, one could only configure the modules as ++part of module load (eg, if your FTP server listened on a different port than ++21, you'd have to load the nf_conntrack_ftp module specifying the correct ++port). Over time it was understood that unconditionally using connection ++helpers could lead to abuse, in part because some protocols allow user ++specified data that would allow traversing the firewall in undesired ways. As ++of kernel 4.7, automatic conntrack helper assignment (ie, handling packets for ++a given port and all IP addresses) is disabled (the old behavior can be ++restored by setting net/netfilter/nf_conntrack_helper=1 in ++#CONFIG_PREFIX#/ufw/sysctl.conf). Firewalls should now instead use the CT ++target to associate traffic with a particular helper and then set RELATED rules ++to use the helper. This allows sites to tailor the use of helpers and help ++avoid abuse. ++.PP ++In general, to use helpers securely, the following needs to happen: ++.IP 1. ++net/netfilter/nf_conntrack_helper should be set to 0 (default) ++.IP 2. ++create a rule for the start of a connection (eg for FTP, port 21) ++.IP 3. ++create a helper rule to associate the helper with this connection ++.IP 4. ++create a helper rule to associate a RELATED flow with this connection ++.IP 5. ++if needed, add the corresponding nf_conntrack_* module to IPT_MODULES ++.IP 6. ++optionally add the corresponding nf_nat_* module to IPT_MODULES ++.PP ++In general it is desirable to make connection helper rules as specific as ++possible and ensure anti\-spoofing is correctly setup for your site to avoid ++security issues in your ruleset. For more information, see ANTI\-SPOOFING, ++above, and <https://home.regit.org/netfilter-en/secure-use-of-helpers/>. ++.PP ++Currently helper rules must be managed in via the RULES FILES. A future version ++of \fBufw\fR will introduce syntax for working with helper rules. ++ + .SH SEE ALSO + .PP + \fBufw\fR(8), \fBiptables\fR(8), \fBip6tables\fR(8), \fBiptables\-restore\fR(8), \fBip6tables\-restore\fR(8), \fBsysctl\fR(8), \fBsysctl.conf\fR(5) |