[OpenWrt-Devel] [PATCH] firewall3: make reject types selectable by user
Alin Năstac
alin.nastac at gmail.com
Wed Jul 4 01:39:22 EDT 2018
On Tue, Jul 3, 2018 at 11:32 PM Philip Prindeville
<philipp_subx at redfish-solutions.com> wrote:
> > On Jul 3, 2018, at 3:22 PM, Alin Năstac <alin.nastac at gmail.com> wrote:
> >
> > On Tue, Jul 3, 2018 at 6:39 PM Philip Prindeville
> > <philipp_subx at redfish-solutions.com> wrote:
> >>
> >> Aren’t all inbound SYNs unsolicited by definition? Is there a danger of reflection attacks?
> >
> > Not all inbound SYNs are unsolicited. Take for instance active mode
> > FTP transfers where the client resides on the LAN . In this case the
> > FTP data connection is initiated from the WAN, but it is solicited by
> > the FTP control connection initiated from the LAN.
> >
> > I don't think it matters that much what error code firewall returns
> > for these unsolicited inbound SYNs, but this RFC makes
> > adm-prohibitited code a must.
>
> I would have thought that dropping them would be better, since it avoids reflection attacks.
Whether you want to silently drop or reject unauthorized connection
attempts is a matter of local policy.
Besides, in order for a reflection attack against your LAN to succeed,
the source IP address of rejected packets must be part of the LAN
prefix. This can be easily prevented, either by enabling rpfilter or
just by adding a firewall rule when the LAN prefix is statically
allocated (the usual IPv4 case).
> >>> On Jul 2, 2018, at 9:29 AM, Alin Nastac <alin.nastac at gmail.com> wrote:
> >>>
> >>> From: Alin Nastac <alin.nastac at gmail.com>
> >>>
> >>> RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
> >>> unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
> >>> code 1 (Communication with destination administratively prohibited).
> >>>
> >>> Signed-off-by: Alin Nastac <alin.nastac at gmail.com>
> >>> ---
> >>> defaults.c | 21 ++++++++++++++++-----
> >>> options.h | 2 ++
> >>> 2 files changed, 18 insertions(+), 5 deletions(-)
> >>>
> >>> diff --git a/defaults.c b/defaults.c
> >>> index 11fbf0d..6565ca2 100644
> >>> --- a/defaults.c
> >>> +++ b/defaults.c
> >>> @@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
> >>> FW3_OPT("output", target, defaults, policy_output),
> >>>
> >>> FW3_OPT("drop_invalid", bool, defaults, drop_invalid),
> >>> + FW3_OPT("tcp_reset_rejects", bool, defaults, tcp_reset_rejects),
> >>> + FW3_OPT("admin_prohib_rejects",bool, defaults, admin_prohib_rejects),
> >>>
> >>> FW3_OPT("syn_flood", bool, defaults, syn_flood),
> >>> FW3_OPT("synflood_protect", bool, defaults, syn_flood),
> >>> @@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
> >>>
> >>> defs->syn_flood_rate.rate = 25;
> >>> defs->syn_flood_rate.burst = 50;
> >>> + defs->tcp_reset_rejects = true;
> >>> defs->tcp_syncookies = true;
> >>> defs->tcp_window_scaling = true;
> >>> defs->custom_chains = true;
> >>> @@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
> >>> fw3_ipt_rule_append(r, "INPUT");
> >>> }
> >>>
> >>> - r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
> >>> - fw3_ipt_rule_target(r, "REJECT");
> >>> - fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
> >>> - fw3_ipt_rule_append(r, "reject");
> >>> + if (defs->tcp_reset_rejects)
> >>> + {
> >>> + r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
> >>> + fw3_ipt_rule_target(r, "REJECT");
> >>> + fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
> >>> + fw3_ipt_rule_append(r, "reject");
> >>> + }
> >>>
> >>> r = fw3_ipt_rule_new(handle);
> >>> fw3_ipt_rule_target(r, "REJECT");
> >>> - fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
> >>> + fw3_ipt_rule_addarg(r, false, "--reject-with",
> >>> + defs->admin_prohib_rejects ?
> >>> + (handle->family == FW3_FAMILY_V6 ?
> >>> + "adm-prohibited" :
> >>> + "admin-prohib") :
> >>> + "port-unreach");
> >>> fw3_ipt_rule_append(r, "reject");
> >>>
> >>> break;
> >>> diff --git a/options.h b/options.h
> >>> index 08fecf6..e3ba99c 100644
> >>> --- a/options.h
> >>> +++ b/options.h
> >>> @@ -276,6 +276,8 @@ struct fw3_defaults
> >>> enum fw3_flag policy_forward;
> >>>
> >>> bool drop_invalid;
> >>> + bool tcp_reset_rejects;
> >>> + bool admin_prohib_rejects;
> >>>
> >>> bool syn_flood;
> >>> struct fw3_limit syn_flood_rate;
> >>> --
> >>> 2.7.4
> >>>
> >>>
> >>> _______________________________________________
> >>> openwrt-devel mailing list
> >>> openwrt-devel at lists.openwrt.org
> >>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> >>
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list