WireGuard Archive on lore.kernel.org
 help / color / Atom feed
From: Lonnie Abelbeck <lists@lonnie.abelbeck.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: "William J. Tolley" <william@breakpointingbad.com>,
	WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Regarding "Inferring and hijacking VPN-tunneled TCP connections"
Date: Sat, 7 Dec 2019 14:51:40 -0600
Message-ID: <EA649C00-DEF2-464F-A5DF-9A81FA6FB5C4@lonnie.abelbeck.com> (raw)
In-Reply-To: <CAHmME9pTt2MPH3gxks8S=3hVKS6P2XFkJd5eT7uivsoK7QPMJg@mail.gmail.com>

> On Dec 6, 2019, at 9:18 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> Hi Vasili,
> On Thu, Dec 5, 2019 at 10:28 PM Vasili Pupkin <diggest@gmail.com> wrote:
>> I've just figured out that the same effect can also be achieved with
>> iptables:
>> iptables -t filter -I INPUT -m addrtype --limit-iface-in ! --dst-type
> Neat trick, but it still requires this to run on all incoming packets
> from all interfaces, right? In other words, it enables a strong host
> model for the whole system instead of just with regards to addresses
> "owned" by the WireGuard interface. Adding support for the latter
> would get us back to the original rule we're using right now, right?

For what its worth, if some sort of basic firewall with conntrack is enabled, Step 1 of the attack is blocked with a "ctstate INVALID" rule.

Per testing in the lab, using attack "nping --tcp --flags SA ..."

For Example, VALID_CHK in the (external facing) INPUT and FORWARD chains:
-A VALID_CHK -m conntrack --ctstate INVALID -j DROP
for both iptables and ip6tables filter tables.

Is it common some sort of basic firewall with conntrack is not enabled ?


WireGuard mailing list

  parent reply index

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-05 19:13 Jason A. Donenfeld
2019-12-05 19:50 ` Vasili Pupkin
2019-12-05 20:24   ` Jason A. Donenfeld
2019-12-05 21:28     ` Vasili Pupkin
2019-12-06 15:18       ` Jason A. Donenfeld
2019-12-06 17:21         ` Vasili Pupkin
2019-12-07 20:51         ` Lonnie Abelbeck [this message]
2019-12-06 12:58     ` William J. Tolley
2019-12-06 15:06     ` Jordan Glover
2019-12-06 15:08       ` Jason A. Donenfeld
2019-12-06 16:03         ` Vasili Pupkin
2019-12-06 16:12           ` Jordan Glover
2019-12-06 17:06             ` Vasili Pupkin
2019-12-05 20:10 ` zrm

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=EA649C00-DEF2-464F-A5DF-9A81FA6FB5C4@lonnie.abelbeck.com \
    --to=lists@lonnie.abelbeck.com \
    --cc=Jason@zx2c4.com \
    --cc=william@breakpointingbad.com \
    --cc=wireguard@lists.zx2c4.com \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
	public-inbox-index wireguard

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git