Merge branch 'master' of git+ssh://code.ungleich.ch/ungleich-public/ungleich-staticcms

2020-08-31 10:44:42 +02:00 · 2020-08-31 10:44:42 +02:00 · 1bb4bb4f49
commit 1bb4bb4f49
parent 3f57df73dc 16f6a2cddf
2 changed files with 122 additions and 2 deletions
--- a/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr
+++ b/content/u/blog/nftables-block-dhcp-and-router-advertisements/contents.lr
@ -0,0 +1,108 @@
+title: Blocking DHCP servers and router advertisements with nftables
+---
+pub_date: 2020-08-27
+---
+author: ungleich
+---
+twitter_handle: ungleich
+---
+_hidden: no
+---
+_discoverable: yes
+---
+abstract:
+Blocking typical data center workloads with nftables
+---
+body:
+
+## Motivation
+
+Here at [ungleich](https://ungleich.ch) we are providing a variety of
+hosting services in the [Data Center
+Light](https://datacenterlight.ch). One of the workloads we offer is
+VM hosting and we need to take some security measures to prevent one
+customer abusing another customer.
+
+## The problem
+
+The virtual machines in our next generation uncloud hosting will be
+using standard DHCP and IPv6 address assignments. Currently
+we are still using the
+[OpenNebula](https://github.com/OpenNebula/addon-context-linux)
+contextualisation scripts that read the networking information from an
+attached ISO.
+
+While this makes it easier to create VM images and VMs behave even
+more like regular computers, this exposes the VMs to attacks where one
+customer runs a DHCP server or IPv6 router advertisement daemon and
+tricks the other VMs into sending traffic to it.
+
+## The architecture
+
+VMs are connected to a single shared network in which they get
+their IP addresses (in uncloud usually only IPv6) and then they can
+retrieve more information from a metadata server. So the main
+protection that is required is preventing to trick other customers
+into using a wrong IP address or route.
+
+Also, if the network is IPv6 only, another customer should not be able
+to trick someone else into using IPv4.
+
+## Fixing it
+
+So the easiest thing to do is to disallow IPv6 router advertisements
+and IPv4 DHCP server answers. However as all the interfaces are put
+into one bridge, we will need to filter on bridge and not ip level:
+
+```
+table bridge filter {
+    chain prerouting {
+        type filter hook prerouting priority 0;
+        policy accept;
+    }
+```
+
+Next we create a chain to drop the packets we dislike:
+
+```
+    chain drop_ra_dhcp {
+        # Blocks: router advertisements, dhcpv6, dhcpv4
+        icmpv6 type nd-router-advert drop
+        ip6 version 6 udp sport 547 drop
+        ip  version 4 udp sport 67 drop
+    }
+```
+
+Now the only thing left is to correctly classify the traffic. For this
+lets take some real world assumptions:
+
+* Let's assume the bridge is named **br100**
+* Let's assume the upstream interface that should allow RA/DHCP is
+  named **vxlan100**
+
+Then we can connect the chains together:
+
+```
+table bridge filter {
+    chain prerouting {
+        type filter hook prerouting priority 0;
+        policy accept;
+
+        iifname != vxlan100 meta ibrname br100 jump drop_ra_dhcp
+    }
+
+    chain drop_ra_dhcp {
+        # Blocks: router advertisements, dhcpv6, dhcpv4
+        icmpv6 type nd-router-advert drop
+        ip6 version 6 udp sport 547 drop
+        ip  version 4 udp sport 67 drop
+    }
+}
+```
+
+This way we have a very simple filter to prevent router advertisements
+or dhcp answers to come from customer VMs.
+
+We hope you enjoyed reading it, but if something does not make sense,
+you can ask on our [open chat](/u/projects/open-chat/) or
+[consult the nftables reference](https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Meta).
--- a/content/u/products/mail-hosting/contents.lr
+++ b/content/u/products/mail-hosting/contents.lr
@ -12,7 +12,7 @@ headline1: Mail Hosting:
 ---
 headline2: Your Mails in Switzerland
 ---
-header_background_color: #788BCE 
+header_background_color: #788BCE
 ---
 header_text_color: text-light
 ---
@ -39,14 +39,26 @@ description2:

 This mailhosting is mainly targeted for low volume, single person or
 single system usage.
+If you need a mail gateway for sending system logs or if you just need
+an easy to use mail account, this is the right product.
+
+This product is feasible for normal use of email. Spamming is
+prohibited and will lead to suspension and/or terminaton of your
+account.
+
+If you are interested in a legit high volume mail traffic product,
+[contact us](/u/contact/) for an individual offer.

 ## What you get

 * A single mailbox account (yourname@ungleich.cloud)
 * Up to 100 mail aliases
-* Up to 100GB usage
+* Up to 100GB usage (additional storage: 100GB for 2 CHF/month)
+* Access via SMTP, IMAPS and Webmail

 ## Pricing

 The one time setup fee is 15 CHF, the monthly recurring fee is 7 CHF
 per month.
+
+You can order it by sending an email to **support at ungleich.ch**.