From 21185a17c43397ad6c0204be01448dcb03d955a6 Mon Sep 17 00:00:00 2001 From: NaeiKinDus Date: Fri, 27 Dec 2024 00:00:00 +0000 Subject: [PATCH] feat(security): moved nftables reserved networks behind a feature flag and no longer block 0.0.0.0/8 and 169.254.0.0/16 by default to ease DHCP and APIPA configuration --- .../infrastructure/roles/security/defaults/main.yml | 11 +++++++++++ .../security/templates/system/debian/nftables.conf.j2 | 4 +--- .../templates/system/nftables/02-mangle.table.j2 | 2 ++ 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml index dbb0499..3028230 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml @@ -8,6 +8,7 @@ security_firewall_filter_policy_forward: drop security_firewall_filter_policy_input: drop security_firewall_filter_policy_output: drop security_firewall_mangle_drop_privatenets: true +security_firewall_mangle_drop_reservednets: true security_firewall_mangle_policy_forward: drop security_firewall_mangle_policy_output: accept security_firewall_mangle_policy_postrouting: accept @@ -18,3 +19,13 @@ security_firewall_nat_policy_postrouting: accept security_firewall_nat_policy_prerouting: accept security_ssh_port: 22 security_sysctl_configuration: {} +security_firewall_reserved_nets_ip4: +# - 0.0.0.0/8 # if blocked, will block DHCP provisioning +# - 169.254.0.0/16 # if blocked, will block DHCP provisioning + - 192.0.2.0/24 + - 192.88.99.0/24 + - 198.51.100.0/24 + - 203.0.113.0/24 + - 224.0.0.0/4 + - 233.252.0.0/24 + - 240.0.0.0/4 diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2 index 9ddb711..5d3895f 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2 @@ -25,9 +25,7 @@ define private_nets = { 192.0.0.0/24, 192.168.0.0/16, 198.18.0.0/15 } define reserved_nets = { - 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, - 192.88.99.0/24, 198.51.100.0/24, 203.0.113.0/24, - 224.0.0.0/4, 233.252.0.0/24, 240.0.0.0/4 + {{ security_firewall_reserved_nets_ip4 | join(", ") | wordwrap(40, wrapstring="\n\t", break_long_words=False) }} } define ssh_localport = {{ security_ssh_port }} diff --git a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2 b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2 index 24b2e35..2e6b30b 100644 --- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2 +++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2 @@ -32,7 +32,9 @@ table inet mangle { {% if security_firewall_mangle_drop_privatenets -%} ip saddr $private_nets counter drop {% endif -%} + {% if security_firewall_mangle_drop_reservednets -%} ip saddr $reserved_nets counter drop + {% endif -%} iifname != "lo" ip saddr 127.0.0.0/8 counter drop }