feat(security): moved nftables reserved networks behind a feature flag and no longer block 0.0.0.0/8 and 169.254.0.0/16 by default to ease DHCP and APIPA configuration

2024-12-27 00:00:00 +00:00 · 2024-12-27 00:00:00 +00:00 · 21185a17c4
commit 21185a17c4
parent 667c7de87e
3 changed files with 14 additions and 3 deletions
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/defaults/main.yml
@ -8,6 +8,7 @@ security_firewall_filter_policy_forward: drop
 security_firewall_filter_policy_input: drop
 security_firewall_filter_policy_output: drop
 security_firewall_mangle_drop_privatenets: true
+security_firewall_mangle_drop_reservednets: true
 security_firewall_mangle_policy_forward: drop
 security_firewall_mangle_policy_output: accept
 security_firewall_mangle_policy_postrouting: accept
@ -18,3 +19,13 @@ security_firewall_nat_policy_postrouting: accept
 security_firewall_nat_policy_prerouting: accept
 security_ssh_port: 22
 security_sysctl_configuration: {}
+security_firewall_reserved_nets_ip4:
+#  - 0.0.0.0/8 # if blocked, will block DHCP provisioning
+#  - 169.254.0.0/16 # if blocked, will block DHCP provisioning
+  - 192.0.2.0/24
+  - 192.88.99.0/24
+  - 198.51.100.0/24
+  - 203.0.113.0/24
+  - 224.0.0.0/4
+  - 233.252.0.0/24
+  - 240.0.0.0/4
--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/debian/nftables.conf.j2
@ -25,9 +25,7 @@ define private_nets = {
    192.0.0.0/24, 192.168.0.0/16, 198.18.0.0/15
 }
 define reserved_nets = {
-    0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24,
-    192.88.99.0/24, 198.51.100.0/24, 203.0.113.0/24,
-    224.0.0.0/4, 233.252.0.0/24, 240.0.0.0/4
+    {{ security_firewall_reserved_nets_ip4 | join(", ") | wordwrap(40, wrapstring="\n\t", break_long_words=False) }}
 }
 define ssh_localport = {{ security_ssh_port }}

--- a/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2
+++ b/collections/ansible_collections/nullified/infrastructure/roles/security/templates/system/nftables/02-mangle.table.j2
@ -32,7 +32,9 @@ table inet mangle {
        {% if security_firewall_mangle_drop_privatenets -%}
        ip saddr $private_nets counter drop
        {% endif -%}
+        {% if security_firewall_mangle_drop_reservednets -%}
        ip saddr $reserved_nets counter drop
+        {%  endif -%}
        iifname != "lo" ip saddr 127.0.0.0/8 counter drop
    }