From e3e44973d6290a0228375135adf88d3271fc4242 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Tue, 29 Apr 2014 14:39:15 -0400
Subject: block DNS traffic at the OpenVPN gateway (#4164)

There are many different edge cases where mac and windows clients (and
maybe android too) will revert to using a different DNS server than the
one specified by openvpn.

This is bad news for security reasons. The client is being designed so
it doesn't leak DNS, however we don't want to put all of our eggs in one
basket, so this will block outgoing port 53 (udp and tcp) on the
gateway's firewall from any of the EIP interfaces (thus not blocking DNS
access on the gateway itself).

Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177
---
 puppet/modules/site_shorewall/manifests/eip.pp | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'puppet')

diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 7109b770..13f831b6 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -68,6 +68,22 @@ class site_shorewall::eip {
       destination => '$FW',
       action      => 'leap_eip(ACCEPT)',
       order       => 200;
+
+    'block_eip_dns_udp':
+      action          => 'REJECT',
+      source          => 'eip',
+      destination     => 'net',
+      protocol        => 'udp',
+      destinationport => 'domain',
+      order           => 300;
+
+    'block_eip_dns_tcp':
+      action          => 'REJECT',
+      source          => 'eip',
+      destination     => 'net',
+      protocol        => 'tcp',
+      destinationport => 'domain',
+      order           => 301;
   }
 
   # create dnat rule for each port
-- 
cgit v1.2.3