Hello list, hello Jason,
I'm using the following nftables rules:
table inet filter {
chain input {
type filter hook input priority filter
ct state { established, related } accept
[...]
iifname "wg0" accept
udp dport 51820 accept
[...]
reject
}
}
After reading about CVE-2019-14899 I'm unsure if this allows an attacker
to injects packets into tcp connections.
If so, what is the best way to prevent this? Is setting rp_filter=1
sufficient?
Independently of the CVE I want to confirm if my firewall rules do what
I want them to do.
The nftables rules above are based on the following paragraph from
wireguard.com:
>[...] system administrators do not need complicated firewall
>extensions [...] but rather they can simply match on "is it from this
>IP? on this interface?", and be assured that it is a secure and
>authentic packet
Is this idea correctly represented by the rule "iifname wg0 accept"?
(I'm intentionally accepting connections from all peers in this case.)
Thank you
Julian
_______________________________________________
WireGuard mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/wireguard
