add Anti-spoof rules

[Mile-Lile]

@jow-
@brada4

Hi devs, can you add anti-spoof rules to the owrt firewall? This will not change anything conceptual it will do just some hardening. Loopback interfaces and loopback ip addresses (ipv4 and ipv6) should never be accessed from the wan. These are for the services running on router itself (such as dnsmasq, unbound etc.). Almost every linux distro has these rules in forewall. I opened ticked here At least consider making it optional like with syn-flood rule.

So, something like this:

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # 1. Allow traffic loopback interface
        iif "lo" accept

        # 2. Drop traffic claiming to be local from external interfaces
        iif != "lo" ip saddr 127.0.0.0/8 drop
        iif != "lo" ip6 saddr ::1 drop

        # ... rest of rules
    }
}

or even stronger protection, with netdev ingress chain (earlier than prerouting) lets say eth0 is wanface:

table netdev anti_spoof {
    chain ingress {
        type filter hook ingress device eth0 priority 0;

        ip saddr 127.0.0.0/8 drop
        ip6 saddr ::1 drop

    }
}

[brada4]

bcp38 is kind of routing issue, ie blackhole route bogon nets from rfc-s or cymru team
Somewhat contradicting to that there is a bcp38 package firewalling WAN interface against bogus networks....

on the same note strict rp filter drops additional obvious spoofs
You can mirror those using fib rules.

I see in other issue you mention something else ie directly connected host connects to other local ip address on our router. localhost is masked in this case (you can re-open localhost routing/forwarding by sysctl) but other iface is not. The thing is other IPs are part of "local" addresses.
so - if interface is localhost and it connects to 192.168.1.1 it is actually (non-masqueable non-redirectable) loopback / localhost / lo
if interface is br-lan then accepting port allows all locally configured addreses as "input" ie no forwarding involved.
Again fib can save second part.

Otherwise fib module just hangs in there doing nothing.

[Mile-Lile]

does this means, that traffic from wan destined to loopback is routed to unreachable and this is allready present on openwrt?

[brada4]

If you want to try.
Place this into /etc/nftables.d/antispoof.nft

chain raw_prerouting {
        type filter hook prerouting priority raw;
        fib saddr type multicast counter drop
}

Then set following develop.nft file to rewrite that table

flush chain inet fw4 raw_prerouting
table inet fw4 {
   chain raw_prerouting {
        type filter hook prerouting priority raw;
        fib saddr type multicast counter drop
  }
}

Now you can add more signs of badness into it and load via

nft -c -o -d netlink -f develop.nft 

Obviously if you are locked out pull the cable and stable version be back.
(rtfm for option meaning)

Once you are into somewat stable idea - parameters are in fw4 uc , ruleset is printed from - you guessed it - ruleset.uc

[brada4]

unreachable

NO, it is not unreachable as to send back unreachable icmp. It is blackhole - discard packets silently. It is default in every operating system since forever, totally unconfigurable out of it. Yes, you see that in some online examples, and then some more that are handled by "drop invalid"