[OpenWrt-Devel] [PATCH] firewall3: make reject types selectable by user
Alin Năstac
alin.nastac at gmail.com
Tue Jul 3 17:22:00 EDT 2018
On Tue, Jul 3, 2018 at 6:39 PM Philip Prindeville
<philipp_subx at redfish-solutions.com> wrote:
>
> Aren’t all inbound SYNs unsolicited by definition? Is there a danger of reflection attacks?
Not all inbound SYNs are unsolicited. Take for instance active mode
FTP transfers where the client resides on the LAN . In this case the
FTP data connection is initiated from the WAN, but it is solicited by
the FTP control connection initiated from the LAN.
I don't think it matters that much what error code firewall returns
for these unsolicited inbound SYNs, but this RFC makes
adm-prohibitited code a must.
> Sent from my iPhone
> > On Jul 2, 2018, at 9:29 AM, Alin Nastac <alin.nastac at gmail.com> wrote:
> >
> > From: Alin Nastac <alin.nastac at gmail.com>
> >
> > RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
> > unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
> > code 1 (Communication with destination administratively prohibited).
> >
> > Signed-off-by: Alin Nastac <alin.nastac at gmail.com>
> > ---
> > defaults.c | 21 ++++++++++++++++-----
> > options.h | 2 ++
> > 2 files changed, 18 insertions(+), 5 deletions(-)
> >
> > diff --git a/defaults.c b/defaults.c
> > index 11fbf0d..6565ca2 100644
> > --- a/defaults.c
> > +++ b/defaults.c
> > @@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
> > FW3_OPT("output", target, defaults, policy_output),
> >
> > FW3_OPT("drop_invalid", bool, defaults, drop_invalid),
> > + FW3_OPT("tcp_reset_rejects", bool, defaults, tcp_reset_rejects),
> > + FW3_OPT("admin_prohib_rejects",bool, defaults, admin_prohib_rejects),
> >
> > FW3_OPT("syn_flood", bool, defaults, syn_flood),
> > FW3_OPT("synflood_protect", bool, defaults, syn_flood),
> > @@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
> >
> > defs->syn_flood_rate.rate = 25;
> > defs->syn_flood_rate.burst = 50;
> > + defs->tcp_reset_rejects = true;
> > defs->tcp_syncookies = true;
> > defs->tcp_window_scaling = true;
> > defs->custom_chains = true;
> > @@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
> > fw3_ipt_rule_append(r, "INPUT");
> > }
> >
> > - r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
> > - fw3_ipt_rule_target(r, "REJECT");
> > - fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
> > - fw3_ipt_rule_append(r, "reject");
> > + if (defs->tcp_reset_rejects)
> > + {
> > + r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
> > + fw3_ipt_rule_target(r, "REJECT");
> > + fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
> > + fw3_ipt_rule_append(r, "reject");
> > + }
> >
> > r = fw3_ipt_rule_new(handle);
> > fw3_ipt_rule_target(r, "REJECT");
> > - fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
> > + fw3_ipt_rule_addarg(r, false, "--reject-with",
> > + defs->admin_prohib_rejects ?
> > + (handle->family == FW3_FAMILY_V6 ?
> > + "adm-prohibited" :
> > + "admin-prohib") :
> > + "port-unreach");
> > fw3_ipt_rule_append(r, "reject");
> >
> > break;
> > diff --git a/options.h b/options.h
> > index 08fecf6..e3ba99c 100644
> > --- a/options.h
> > +++ b/options.h
> > @@ -276,6 +276,8 @@ struct fw3_defaults
> > enum fw3_flag policy_forward;
> >
> > bool drop_invalid;
> > + bool tcp_reset_rejects;
> > + bool admin_prohib_rejects;
> >
> > bool syn_flood;
> > struct fw3_limit syn_flood_rate;
> > --
> > 2.7.4
> >
> >
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel at lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list