sonic-buildimage/files
Joe LeVeque 5e8e0d76fc
[caclmgrd] Add some default ACCEPT rules and lastly drop all incoming packets (#4412)
Modified caclmgrd behavior to enhance control plane security as follows:

Upon starting or receiving notification of ACL table/rule changes in Config DB:
1. Add iptables/ip6tables commands to allow all incoming packets from established TCP sessions or new TCP sessions which are related to established TCP sessions
2. Add iptables/ip6tables commands to allow bidirectional ICMPv4 ping and traceroute
3. Add iptables/ip6tables commands to allow bidirectional ICMPv6 ping and traceroute
4. Add iptables/ip6tables commands to allow all incoming Neighbor Discovery Protocol (NDP) NS/NA/RS/RA messages
5. Add iptables/ip6tables commands to allow all incoming IPv4 DHCP packets
6. Add iptables/ip6tables commands to allow all incoming IPv6 DHCP packets
7. Add iptables/ip6tables commands to allow all incoming BGP traffic
8. Add iptables/ip6tables commands for all ACL rules for recognized services (currently SSH, SNMP, NTP)
9. For all services which we did not find configured ACL rules, add iptables/ip6tables commands to allow all incoming packets for those services (allows the device to accept SSH connections before the device is configured)
10. Add iptables rules to drop all packets destined for loopback interface IP addresses
11. Add iptables rules to drop all packets destined for management interface IP addresses
12. Add iptables rules to drop all packets destined for point-to-point interface IP addresses
13. Add iptables rules to drop all packets destined for our VLAN interface gateway IP addresses
14. Add iptables/ip6tables commands to allow all incoming packets with TTL of 0 or 1 (This allows the device to respond to tools like tcptraceroute)
15. If we found control plane ACLs in the configuration and applied them, we lastly add iptables/ip6tables commands to drop all other incoming packets
2020-05-11 12:36:47 -07:00
..
Aboot [arista]: Change kernel param for smartsville (#56) 2020-04-20 07:34:43 +00:00
apt [build]: add buster docker as the last step of the build proces 2020-04-16 10:26:18 +00:00
build_scripts [build_debian] Include checksum of ASIC config files in SONiC filesystem (#3384) 2019-09-05 19:41:35 -07:00
build_templates Changes for LLDP docker to support multi-npu platforms (#4530) 2020-05-11 11:05:44 -07:00
dhcp ZTP infrastructure changes to support DHCP discovery provisioning data (#3298) 2019-12-10 08:16:56 -08:00
docker [docker-engine]: upgrade docker engine to 18.09 (#2417) 2019-01-04 20:47:43 -08:00
image_config [caclmgrd] Add some default ACCEPT rules and lastly drop all incoming packets (#4412) 2020-05-11 12:36:47 -07:00
initramfs-tools [baseimage]: Run fsck filesystem check support prior mounting filesystem (#4431) 2020-04-30 00:33:20 -07:00
scripts Multi DB with namespace support, Introducing the database_global.json… (#4477) 2020-05-08 21:24:05 -07:00
sshd [sshd]: Create /run/sshd under systemd using RuntimeDirectory 2020-04-17 04:51:51 +00:00