summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2014-04-29 14:39:15 -0400
committerMicah Anderson <micah@leap.se>2014-04-29 14:39:15 -0400
commite3e44973d6290a0228375135adf88d3271fc4242 (patch)
tree3637bfdbee71545533d81f36a8d53888e9567289
parent9574bf2b8a87d32f799c80bf37818d62be6b7c15 (diff)
block DNS traffic at the OpenVPN gateway (#4164)
There are many different edge cases where mac and windows clients (and maybe android too) will revert to using a different DNS server than the one specified by openvpn. This is bad news for security reasons. The client is being designed so it doesn't leak DNS, however we don't want to put all of our eggs in one basket, so this will block outgoing port 53 (udp and tcp) on the gateway's firewall from any of the EIP interfaces (thus not blocking DNS access on the gateway itself). Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp16
1 files changed, 16 insertions, 0 deletions
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 7109b770..13f831b6 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -68,6 +68,22 @@ class site_shorewall::eip {
destination => '$FW',
action => 'leap_eip(ACCEPT)',
order => 200;
+
+ 'block_eip_dns_udp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ protocol => 'udp',
+ destinationport => 'domain',
+ order => 300;
+
+ 'block_eip_dns_tcp':
+ action => 'REJECT',
+ source => 'eip',
+ destination => 'net',
+ protocol => 'tcp',
+ destinationport => 'domain',
+ order => 301;
}
# create dnat rule for each port