CVE-2019-14899 and iifname-based firewall
Julian Orth
ju.orth at gmail.com
Thu Dec 5 19:13:05 CET 2019
Hello list, hello Jason,
I'm using the following nftables rules:
table inet filter {
chain input {
type filter hook input priority filter
ct state { established, related } accept
[...]
iifname "wg0" accept
udp dport 51820 accept
[...]
reject
}
}
After reading about CVE-2019-14899 I'm unsure if this allows an attacker
to injects packets into tcp connections.
If so, what is the best way to prevent this? Is setting rp_filter=1
sufficient?
Independently of the CVE I want to confirm if my firewall rules do what
I want them to do.
The nftables rules above are based on the following paragraph from
wireguard.com:
>[...] system administrators do not need complicated firewall
>extensions [...] but rather they can simply match on "is it from this
>IP? on this interface?", and be assured that it is a secure and
>authentic packet
Is this idea correctly represented by the rule "iifname wg0 accept"?
(I'm intentionally accepting connections from all peers in this case.)
Thank you
Julian
More information about the WireGuard
mailing list