2025 07 01

Author: randomizedcoder

desktop/l2/README.md

@@ -330,4 +330,32 @@ Internet (enp1s0)
 - `monitoring.nix` - Performance monitoring and testing services
 - `sysctl.nix` - Kernel network parameters
 - `configuration.nix` - Main system configuration
-- `CPU_and_IRQ_optimization.md` - Detailed optimization documentation
+- `CPU_and_IRQ_optimization.md` - Detailed optimization documentation
+
+
+## Netlink monitoring
+
+Hostapd communicates with the kernel via Netlink.  To monitor the Netlink traffic, follow these instructions:
+
+```
+modprobe nlmon
+sudo modprobe nlmon
+lsmod | grep nlmon
+sudo ip link add nlmon0 type nlmon
+sudo ip link set dev nlmon0 up
+sudo tcpdump -i nlmon0 -w netlink.pcap
+sudo chown das:das *.pcap
+```
+
+See also: https://jvns.ca/blog/2017/09/03/debugging-netlink-requests/
+
+
+## ipv6 debugging notes
+
+```
+sudo tcpdump -i enp1s0 -n 'icmp6 and (icmp6[0] == 133 or icmp6[0] == 134)'
+# triggger router solicitation (nix-shell -p ndisc6)
+sudo rdisc6 enp1s0
+# another way
+sudo ip -6 route flush dev enp1s0
+```

desktop/l2/firewall.md

@@ -4,7 +4,7 @@
 
 This document outlines the design and principles of the `nftables` firewall configuration for the L2 WiFi access point. The primary goals are to provide robust security for the router and its clients, ensure correct network functionality, and maintain a clear, auditable ruleset with maximum performance.
 
-The firewall leverages `nftables` for its modern syntax, performance, and ability to handle both IPv4 and IPv6 within a unified `inet` table family where possible. The configuration is optimized for performance through extensive use of nftables sets and strategic rule ordering.
+The firewall leverages `nftables` for its modern syntax, performance, and ability to handle both IPv4 and IPv6 within a unified `inet` table family where possible. The configuration is optimized for performance through extensive use of nftables sets and strategic rule ordering, including early processing of trusted traffic like loopback communication.
 
 ### 1.1. Configuration Variables
 
@@ -49,6 +49,9 @@ The firewall extensively uses nftables sets for optimal performance and maintain
 *   **`special_purpose_ipv6`**: Contains all RFC 6890 special-purpose IPv6 ranges
 *   **`loopback_ipv4`**: IPv4 loopback addresses (127.0.0.0/8)
 *   **`loopback_ipv6`**: IPv6 loopback addresses (::1/128)
+*   **`link_local_ipv6`**: IPv6 link-local addresses (fe80::/10) - essential for IPv6 operation including Router Advertisements and Neighbor Discovery
+*   **`internal_ipv4`**: Internal IPv4 subnet (192.168.1.0/24) - our allocated private network
+*   **`internal_ipv6`**: Internal IPv6 subnet (fd00::/64) - our allocated private network
 *   **`blacklist`**: Dynamic blacklist for CrowdSec integration (timeout-based, auto-merge)
 
 #### 3.1.2. Service Port Sets
@@ -66,14 +69,18 @@ This chain protects the access point itself with optimized rule ordering:
 
 *   **Early Invalid Packet Drops**:
     *   **Drops** invalid connection states immediately
-    *   **Drops** fragmented packets (potential evasion technique)
+    *   **Allows** fragment reassembly - router reassembles fragments and applies security rules to reassembled packets
+*   **Loopback Protection** (Early):
+    *   **Accepts** all legitimate traffic on the loopback interface (`lo`) immediately
+    *   **Drops** any packet seen on a physical interface with loopback addresses using optimized set lookups
+    *   **Performance**: Early placement ensures trusted loopback traffic bypasses expensive rule evaluation
+*   **TCP Flag Validation**:
     *   **Drops** packets with invalid TCP flag combinations
 *   **Fast Path for Established Connections**:
     *   **Accepts** established and related connections early for maximum performance
-*   **Loopback Protection**:
-    *   **Accepts** all legitimate traffic on the loopback interface (`lo`)
-    *   **Drops** any packet seen on a physical interface with loopback addresses using optimized set lookups
 *   **Global Anti-Spoofing**:
+    *   **Exception**: Allows essential IPv6 link-local communication (Router Advertisements, Neighbor Discovery) using the `link_local_ipv6` set
+    *   **Allows** legitimate internal traffic from our allocated subnets
     *   **Drops** any incoming packet with a source address from special-purpose ranges using set-based filtering
 *   **Service Access Control**:
     *   **Allows** access to essential network services using set-based port matching
@@ -90,9 +97,14 @@ This chain governs the traffic from WiFi clients to the internet and vice-versa
 
 *   **Early Invalid Packet Drops**:
     *   **Drops** invalid connection states and malformed packets immediately
+    *   **Allows** fragment reassembly for forwarded packets
 *   **Anti-Spoofing with Set-Based Filtering**:
     *   **Drops** any packet being forwarded that contains loopback addresses using set lookups
     *   **Drops** any packet from internal clients with spoofed upstream LAN addresses
+    *   **Drops** any packet from internal clients with spoofed special-purpose addresses
+*   **Internal Traffic Forwarding**:
+    *   **Allows** legitimate internal traffic from our allocated subnets to external network
+*   **Special-Purpose Destination Blocking**:
     *   **Drops** any packet from internal clients destined for special-purpose ranges using set-based filtering
 *   **Fast Path for Return Traffic**:
     *   **Allows** return traffic from external to internal for established connections (most common case)
@@ -111,9 +123,13 @@ This chain governs traffic generated by the access point itself with comprehensi
 
 *   **Default-Accept Policy**: The policy is `accept`, but hardened with explicit `drop` rules
 *   **Early Invalid Packet Drops**:
-    *   **Drops** invalid connection states, fragmented packets, and invalid TCP flags
-*   **Loopback Protection**:
+    *   **Drops** invalid connection states, fragmented packets
+    *   **Allows** fragment reassembly for outgoing packets
+*   **Loopback Protection** (Early):
     *   **Drops** any packet with loopback addresses on physical interfaces using set-based filtering
+    *   **Performance**: Early placement ensures loopback spoofing is detected before expensive rule evaluation
+*   **TCP Flag Validation**:
+    *   **Drops** packets with invalid TCP flag combinations
 *   **Global Egress Filtering**:
     *   **Drops** any packet destined for special-purpose ranges using set-based filtering
 *   **Interface-Specific Egress Filtering**:
@@ -139,6 +155,8 @@ The firewall employs several advanced optimization techniques:
 
 #### 3.6.2. Rule Ordering Optimization
 *   **Early Drops**: Invalid packets and spoofed traffic are dropped as early as possible
+*   **Fragment Reassembly**: Fragments are accepted for reassembly before applying security rules
+*   **Loopback Fast Path**: Loopback traffic is accepted immediately as it's inherently trusted, bypassing expensive rule evaluation and providing maximum performance for localhost communication
 *   **Fast Path**: Established connections are accepted early to avoid expensive rule evaluation
 *   **Global Filters**: Non-interface-specific drops (like special-purpose IP blocking) are applied before interface-specific rules
 *   **Most Common Traffic First**: Return traffic and established connections are prioritized
@@ -253,17 +271,32 @@ The CrowdSec integration makes several deliberate architectural choices:
 - Internal clients cannot spoof upstream LAN addresses
 - Fragment and TCP flag filtering prevents evasion techniques
 
-### 4.3. Network Segmentation
+### 4.3. Fragment Handling Strategy
+- **Fragment Reassembly**: Instead of dropping fragments, the router reassembles them and applies security rules to the complete packets
+- **Security Benefits**: Prevents fragment-based attacks while maintaining compatibility with legitimate applications
+- **Compatibility**: Supports applications that rely on fragmentation (VPNs, streaming, large packet transfers)
+- **Performance**: Reassembly happens at the kernel level with minimal overhead
+- **Attack Prevention**: Fragment-based evasion techniques are neutralized since security rules are applied to reassembled packets
+
+### 4.4. Network Segmentation
 - Clear separation between internal (br0) and external (enp1s0) interfaces
 - Service access is restricted to internal interfaces only
 - Upstream LAN access is explicitly controlled
 - Egress filtering prevents internal network leakage
 
-### 4.4. IPv6 Security
+### 4.5. IPv6 Security
 - Comprehensive ICMPv6 filtering for proper IPv6 operation
 - Neighbor Discovery Protocol protection
-- Router Advertisement control
+- Router Advertisement control via link-local address set (`link_local_ipv6`)
 - Path MTU Discovery support
+- Essential link-local communication allowed for IPv6 operation
+
+### 4.6. Performance Considerations
+- **Early Loopback Processing**: Loopback traffic is handled immediately to bypass expensive rule evaluation
+- **Fragment Reassembly**: Kernel-level reassembly with minimal overhead
+- **Set-Based Lookups**: Optimized address and port matching using nftables sets
+- **Rule Ordering**: Most common traffic patterns are prioritized for maximum throughput
+- **Connection Tracking**: Stateful inspection reduces rule evaluation for established connections
 
 ## 5. Monitoring and Logging
 
@@ -292,6 +325,7 @@ Monitor firewall logs for:
 | ------------------------------- | :--------------------: | :-----------------------: | :---------------------: |
 | **Default-Deny Policy**         |           ✓            |             ✓             |            ✗            |
 | **Stateful Inspection**         |           ✓            |             ✓             |            ✓            |
+| **Fragment Reassembly**         |           ✓            |             ✓             |            ✓            |
 | **Loopback Anti-Spoofing**      |           ✓            |             ✓             |            ✓            |
 | **Special-Purpose IP Blocking** |           ✓            |             ✓             |            ✓            |
 | **Service Access Control**      |           ✓            |            N/A            |           N/A           |
@@ -353,6 +387,9 @@ ping -I 127.0.0.1 8.8.8.8  # Should be blocked
 # Test special-purpose IP blocking
 ping -I 192.168.1.100 10.0.0.1  # Should be blocked
 
+# Test fragment handling
+ping -s 1500 -M do 192.168.1.1  # Test large packets that may fragment
+
 # Test IPv6 functionality
 ping6 -c 1 fd00::1  # Should work from internal
 

desktop/l2/firewall.nix

@@ -111,6 +111,32 @@ in {
           }
         }
 
+        # Define set for link-local IPv6 addresses (essential for IPv6 operation)
+        set link_local_ipv6 {
+          type ipv6_addr
+          flags interval
+          elements = {
+            fe80::/10            # Link-Local Addresses
+          }
+        }
+
+        # Define sets for our internal networks
+        set internal_ipv4 {
+          type ipv4_addr
+          flags interval
+          elements = {
+            ${internalIPv4Prefix}  # Internal IPv4 subnet
+          }
+        }
+
+        set internal_ipv6 {
+          type ipv6_addr
+          flags interval
+          elements = {
+            ${internalIPv6Prefix}  # Internal IPv6 subnet
+          }
+        }
+
         # Define sets for common service ports
         set ssh_ports {
           type inet_service
@@ -181,8 +207,18 @@ in {
           # Early drop for invalid packets
           ct state invalid drop
 
-          # Drop fragmented packets (potential evasion technique)
-          ip frag-off & 0x1fff != 0 drop
+          # Allow fragment reassembly - let the router reassemble fragments
+          # and then apply security rules to the reassembled packets
+          # This prevents fragment-based attacks while maintaining compatibility
+          ip frag-off & 0x1fff != 0 accept
+
+          # Accept all traffic on the loopback interface, and drop spoofed
+          # loopback packets on any other interface.
+          iif lo accept
+          iif != "lo" ip saddr @loopback_ipv4 drop
+          iif != "lo" ip daddr @loopback_ipv4 drop
+          iif != "lo" ip6 saddr @loopback_ipv6 drop
+          iif != "lo" ip6 daddr @loopback_ipv6 drop
 
           # Drop packets with invalid TCP flag combinations
           tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|syn|rst|psh|ack|urg) drop
@@ -196,19 +232,23 @@ in {
           # Allow established and related connections
           ct state established,related accept
 
-          # Accept all traffic on the loopback interface, and drop spoofed
-          # loopback packets on any other interface.
-          iif lo accept
-          iif != "lo" ip saddr @loopback_ipv4 drop
-          iif != "lo" ip daddr @loopback_ipv4 drop
-          iif != "lo" ip6 saddr @loopback_ipv6 drop
-          iif != "lo" ip6 daddr @loopback_ipv6 drop
-
           # Drop incoming traffic from special-purpose/unroutable source addresses (RFC 6890)
           # This provides strong anti-spoofing protection for the router itself.
+          # EXCEPTION: Allow essential IPv6 link-local communication (needed for IPv6 operation)
+          ip6 saddr @link_local_ipv6 icmpv6 type @icmpv6_allowed accept
+
+          # Allow legitimate internal traffic from our networks
+          iifname "${lanInterface}" ip saddr @internal_ipv4 accept
+          iifname "${lanInterface}" ip6 saddr @internal_ipv6 accept
+
+          # Block spoofed special-purpose addresses from all interfaces
           ip saddr @special_purpose_ipv4 drop
           ip6 saddr @special_purpose_ipv6 drop
 
+          # Block destination special-purpose addresses from all interfaces
+          ip daddr @special_purpose_ipv4 drop
+          ip6 daddr @special_purpose_ipv6 drop
+
           # Allow management and network services from the internal interface (${lanInterface})
           # Rate limit SSH to prevent brute force attacks
           iifname "${lanInterface}" tcp dport @ssh_ports ct state new limit rate 6/minute accept
@@ -247,8 +287,9 @@ in {
           # Early drop for invalid packets being forwarded
           ct state invalid drop
 
-          # Drop fragmented packets being forwarded
-          ip frag-off & 0x1fff != 0 drop
+          # Allow fragment reassembly for forwarded packets
+          # Let the router reassemble fragments and apply security rules to reassembled packets
+          ip frag-off & 0x1fff != 0 accept
 
           # Drop packets with invalid TCP flag combinations
           tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|syn|rst|psh|ack|urg) drop
@@ -265,6 +306,14 @@ in {
           # Drop traffic from internal clients pretending to be on the upstream LAN.
           iifname "${lanInterface}" ip saddr ${upstreamLanPrefix} drop
 
+          # Allow legitimate internal traffic to external network
+          iifname "${lanInterface}" oifname "${wanInterface}" ip saddr @internal_ipv4 accept
+          iifname "${lanInterface}" oifname "${wanInterface}" ip6 saddr @internal_ipv6 accept
+
+          # Block spoofed special-purpose addresses from internal clients
+          iifname "${lanInterface}" ip saddr @special_purpose_ipv4 drop
+          iifname "${lanInterface}" ip6 saddr @special_purpose_ipv6 drop
+
           # Drop traffic from internal clients to private/reserved ranges.
           # This prevents traffic from being forwarded to non-routable destinations.
           # Based on IANA Special-Purpose Address Registry (RFC 6890)
@@ -300,13 +349,9 @@ in {
           # Drop invalid packets originating from the local machine
           ct state invalid drop
 
-          # Drop fragmented packets from router
-          ip frag-off & 0x1fff != 0 drop
-
-          # Drop packets with invalid TCP flag combinations
-          tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|syn|rst|psh|ack|urg) drop
-          tcp flags & (fin|syn) == (fin|syn) drop
-          tcp flags & (syn|rst) == (syn|rst) drop
+          # Allow fragment reassembly for outgoing packets
+          # Let the router reassemble fragments before sending
+          ip frag-off & 0x1fff != 0 accept
 
           # Drop spoofed loopback packets on non-loopback interfaces.
           # Legitimate traffic to/from loopback addresses should only be on the 'lo' interface.
@@ -315,6 +360,11 @@ in {
           oif != "lo" ip6 saddr @loopback_ipv6 drop
           oif != "lo" ip6 daddr @loopback_ipv6 drop
 
+          # Drop packets with invalid TCP flag combinations
+          tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|syn|rst|psh|ack|urg) drop
+          tcp flags & (fin|syn) == (fin|syn) drop
+          tcp flags & (syn|rst) == (syn|rst) drop
+
           # Allow essential ICMPv6 traffic from router (Router Advertisement, Neighbor Advertisement, etc.)
           oifname "${lanInterface}" icmpv6 type @icmpv6_allowed accept
           oifname "${wanInterface}" icmpv6 type @icmpv6_allowed accept
@@ -328,13 +378,13 @@ in {
 
           # Block allocated subnets from going out the WAN interface (${wanInterface})
           # to prevent internal network leakage
-          oifname "${wanInterface}" ip daddr ${internalIPv4Prefix} drop
-          oifname "${wanInterface}" ip6 daddr ${internalIPv6Prefix} drop
+          oifname "${wanInterface}" ip daddr @internal_ipv4 drop
+          oifname "${wanInterface}" ip6 daddr @internal_ipv6 drop
 
           # Allow allocated subnets to go out the internal interface (${lanInterface})
           # for legitimate internal network communication
-          oifname "${lanInterface}" ip daddr ${internalIPv4Prefix} accept
-          oifname "${lanInterface}" ip6 daddr ${internalIPv6Prefix} accept
+          oifname "${lanInterface}" ip daddr @internal_ipv4 accept
+          oifname "${lanInterface}" ip6 daddr @internal_ipv6 accept
         }
       }
 
@@ -357,7 +407,7 @@ in {
 
         chain postrouting {
           type nat hook postrouting priority srcnat;
-          # IPv6 masquerading
+          # IPv6 masquerading for private fd00::/64 network
           oifname "${wanInterface}" masquerade
         }
       }