block DNS traffic at the OpenVPN gateway (#4164)

There are many different edge cases where mac and windows clients (and
maybe android too) will revert to using a different DNS server than the
one specified by openvpn.

This is bad news for security reasons. The client is being designed so
it doesn't leak DNS, however we don't want to put all of our eggs in one
basket, so this will block outgoing port 53 (udp and tcp) on the
gateway's firewall from any of the EIP interfaces (thus not blocking DNS
access on the gateway itself).

Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177

1 files changed, 16 insertions, 0 deletions

diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 7109b770..13f831b6 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -68,6 +68,22 @@ class site_shorewall::eip {
       destination => '$FW',
       action      => 'leap_eip(ACCEPT)',
       order       => 200;
+
+    'block_eip_dns_udp':
+      action          => 'REJECT',
+      source          => 'eip',
+      destination     => 'net',
+      protocol        => 'udp',
+      destinationport => 'domain',
+      order           => 300;
+
+    'block_eip_dns_tcp':
+      action          => 'REJECT',
+      source          => 'eip',
+      destination     => 'net',
+      protocol        => 'tcp',
+      destinationport => 'domain',
+      order           => 301;
   }
 
   # create dnat rule for each port