Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Deny access to additional IP addresses by default.
Browse files Browse the repository at this point in the history 
Including IPv6 with embedded IPv4, IPv4-compatible IPv6, and 6to4
addresses.
  • Loading branch information
@clokep
clokep committed Jan 27, 2021
1 parent cfcc4bf commit ad1ac2a
Show file tree
Hide file tree
Showing 3 changed files with 111 additions and 2 deletions.
1 change: 1 addition & 0 deletions changelog.d/9240.misc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Deny access to additional IP addresses by default.
72 changes: 72 additions & 0 deletions docs/sample_config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,42 @@ pid_file: DATADIR/homeserver.pid
# - '198.51.100.0/24'
# - '203.0.113.0/24'
# - '224.0.0.0/4'
# - '::127.0.0.0/104'
# - '::10.0.0.0/104'
# - '::172.16.0.0/108'
# - '::192.168.0.0/112'
# - '::100.64.0.0/106'
# - '::192.0.0.0/120'
# - '::169.254.0.0/112'
# - '::198.18.0.0/111'
# - '::192.0.2.0/120'
# - '::198.51.100.0/120'
# - '::203.0.113.0/120'
# - '::224.0.0.0/100'
# - '::ffff:127.0.0.0/104'
# - '::ffff:10.0.0.0/104'
# - '::ffff:172.16.0.0/108'
# - '::ffff:192.168.0.0/112'
# - '::ffff:100.64.0.0/106'
# - '::ffff:192.0.0.0/120'
# - '::ffff:169.254.0.0/112'
# - '::ffff:198.18.0.0/111'
# - '::ffff:192.0.2.0/120'
# - '::ffff:198.51.100.0/120'
# - '::ffff:203.0.113.0/120'
# - '::ffff:224.0.0.0/100'
# - '2002:7f00:0000::/24'
# - '2002:0a00:0000::/24'
# - '2002:ac10:0000::/28'
# - '2002:c0a8:0000::/32'
# - '2002:6440:0000::/26'
# - '2002:c000:0000::/40'
# - '2002:a9fe:0000::/32'
# - '2002:c612:0000::/31'
# - '2002:c000:0200::/40'
# - '2002:c633:6400::/40'
# - '2002:cb00:7100::/40'
# - '2002:e000:0000::/20'
# - '::1/128'
# - 'fe80::/10'
# - 'fc00::/7'
Expand Down Expand Up @@ -985,6 +1021,42 @@ media_store_path: "DATADIR/media_store"
# - '198.51.100.0/24'
# - '203.0.113.0/24'
# - '224.0.0.0/4'
# - '::127.0.0.0/104'
# - '::10.0.0.0/104'
# - '::172.16.0.0/108'
# - '::192.168.0.0/112'
# - '::100.64.0.0/106'
# - '::192.0.0.0/120'
# - '::169.254.0.0/112'
# - '::198.18.0.0/111'
# - '::192.0.2.0/120'
# - '::198.51.100.0/120'
# - '::203.0.113.0/120'
# - '::224.0.0.0/100'
# - '::ffff:127.0.0.0/104'
# - '::ffff:10.0.0.0/104'
# - '::ffff:172.16.0.0/108'
# - '::ffff:192.168.0.0/112'
# - '::ffff:100.64.0.0/106'
# - '::ffff:192.0.0.0/120'
# - '::ffff:169.254.0.0/112'
# - '::ffff:198.18.0.0/111'
# - '::ffff:192.0.2.0/120'
# - '::ffff:198.51.100.0/120'
# - '::ffff:203.0.113.0/120'
# - '::ffff:224.0.0.0/100'
# - '2002:7f00:0000::/24'
# - '2002:0a00:0000::/24'
# - '2002:ac10:0000::/28'
# - '2002:c0a8:0000::/32'
# - '2002:6440:0000::/26'
# - '2002:c000:0000::/40'
# - '2002:a9fe:0000::/32'
# - '2002:c612:0000::/31'
# - '2002:c000:0200::/40'
# - '2002:c633:6400::/40'
# - '2002:cb00:7100::/40'
# - '2002:e000:0000::/20'
# - '::1/128'
# - 'fe80::/10'
# - 'fc00::/7'
Expand Down
40 changes: 38 additions & 2 deletions synapse/config/server.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@

import attr
import yaml
from netaddr import IPSet
from netaddr import IPNetwork, IPSet

from synapse.api.room_versions import KNOWN_ROOM_VERSIONS
from synapse.util.stringutils import parse_and_validate_server_name
Expand All @@ -40,7 +40,24 @@
# in the list.
DEFAULT_BIND_ADDRESSES = ["::", "0.0.0.0"]

DEFAULT_IP_RANGE_BLACKLIST = [

def _6to4(network_str: str) -> str:
"""Convert an IPv4 network into a 6to4 IPv6 network per RFC 3056."""
network = IPNetwork(network_str)
# 6to4 networks have a prefix of 2002, the first IPv4 address in the network
# needs to be hex-encoded as the next 32 bits. Calculate the new prefix by
# adding 16 (the additional bits from the 2002: prefix).
hex_network = hex(network.first)[2:]
hex_network = ("0" * (8 - len(hex_network))) + hex_network
return "2002:%s:%s::/%d" % (
hex_network[:4],
hex_network[4:],
16 + network.prefixlen,
)


# Start with IPv4 ranges that are considered private / unroutable / don't make sense.
DEFAULT_IPV4_RANGE_BLACKLIST = [
# Localhost
"127.0.0.0/8",
# Private networks.
Expand All @@ -60,13 +77,32 @@
"203.0.113.0/24",
# Multicast.
"224.0.0.0/4",
]

# IPv6 contains all of the IPv4 address space, see RFC 4291, section 2.5.5.
# IPv6 also has a deprecated transition mechanism (6to4) which is not supposed
# to be used for private IPv4 space, see RFC 3056, section 2.
DEFAULT_IPV6_RANGE_BLACKLIST = (
[
str(IPNetwork(ip).ipv6(ipv4_compatible=True))
for ip in DEFAULT_IPV4_RANGE_BLACKLIST
]
+ [
str(IPNetwork(ip).ipv6(ipv4_compatible=False))
for ip in DEFAULT_IPV4_RANGE_BLACKLIST
]
+ [_6to4(ip) for ip in DEFAULT_IPV4_RANGE_BLACKLIST]
)
# Add IPv6 ranges that are considered private / unroutable / don't make sense.
DEFAULT_IPV6_RANGE_BLACKLIST += [
# Localhost
"::1/128",
# Link-local addresses.
"fe80::/10",
# Unique local addresses.
"fc00::/7",
]
DEFAULT_IP_RANGE_BLACKLIST = DEFAULT_IPV4_RANGE_BLACKLIST + DEFAULT_IPV6_RANGE_BLACKLIST

DEFAULT_ROOM_VERSION = "6"

Expand Down

0 comments on commit ad1ac2a

Please sign in to comment.