[OpenWrt-Devel] [PATCH] firewall3: make reject types selectable by user

Philip Prindeville philipp_subx at redfish-solutions.com
Tue Jul 3 17:32:37 EDT 2018



> On Jul 3, 2018, at 3:22 PM, Alin Năstac <alin.nastac at gmail.com> wrote:
> 
> On Tue, Jul 3, 2018 at 6:39 PM Philip Prindeville
> <philipp_subx at redfish-solutions.com> wrote:
>> 
>> Aren’t all inbound SYNs unsolicited by definition? Is there a danger of reflection attacks?
> 
> Not all inbound SYNs are unsolicited. Take for instance active mode
> FTP transfers where the client resides on the LAN . In this case the
> FTP data connection is initiated from the WAN, but it is solicited by
> the FTP control connection initiated from the LAN.
> 
> I don't think it matters that much what error code firewall returns
> for these unsolicited  inbound SYNs, but this RFC makes
> adm-prohibitited code a must.


I would have thought that dropping them would be better, since it avoids reflection attacks.

-Philip


> 
>> Sent from my iPhone
>>> On Jul 2, 2018, at 9:29 AM, Alin Nastac <alin.nastac at gmail.com> wrote:
>>> 
>>> From: Alin Nastac <alin.nastac at gmail.com>
>>> 
>>> RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
>>> unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
>>> code 1 (Communication with destination administratively prohibited).
>>> 
>>> Signed-off-by: Alin Nastac <alin.nastac at gmail.com>
>>> ---
>>> defaults.c | 21 ++++++++++++++++-----
>>> options.h  |  2 ++
>>> 2 files changed, 18 insertions(+), 5 deletions(-)
>>> 
>>> diff --git a/defaults.c b/defaults.c
>>> index 11fbf0d..6565ca2 100644
>>> --- a/defaults.c
>>> +++ b/defaults.c
>>> @@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
>>>   FW3_OPT("output",              target,   defaults, policy_output),
>>> 
>>>   FW3_OPT("drop_invalid",        bool,     defaults, drop_invalid),
>>> +    FW3_OPT("tcp_reset_rejects",   bool,     defaults, tcp_reset_rejects),
>>> +    FW3_OPT("admin_prohib_rejects",bool,     defaults, admin_prohib_rejects),
>>> 
>>>   FW3_OPT("syn_flood",           bool,     defaults, syn_flood),
>>>   FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
>>> @@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
>>> 
>>>   defs->syn_flood_rate.rate  = 25;
>>>   defs->syn_flood_rate.burst = 50;
>>> +    defs->tcp_reset_rejects    = true;
>>>   defs->tcp_syncookies       = true;
>>>   defs->tcp_window_scaling   = true;
>>>   defs->custom_chains        = true;
>>> @@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
>>>           fw3_ipt_rule_append(r, "INPUT");
>>>       }
>>> 
>>> -        r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
>>> -        fw3_ipt_rule_target(r, "REJECT");
>>> -        fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
>>> -        fw3_ipt_rule_append(r, "reject");
>>> +        if (defs->tcp_reset_rejects)
>>> +        {
>>> +            r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
>>> +            fw3_ipt_rule_target(r, "REJECT");
>>> +            fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
>>> +            fw3_ipt_rule_append(r, "reject");
>>> +        }
>>> 
>>>       r = fw3_ipt_rule_new(handle);
>>>       fw3_ipt_rule_target(r, "REJECT");
>>> -        fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
>>> +        fw3_ipt_rule_addarg(r, false, "--reject-with",
>>> +            defs->admin_prohib_rejects ?
>>> +                (handle->family == FW3_FAMILY_V6 ?
>>> +                    "adm-prohibited" :
>>> +                    "admin-prohib") :
>>> +                "port-unreach");
>>>       fw3_ipt_rule_append(r, "reject");
>>> 
>>>       break;
>>> diff --git a/options.h b/options.h
>>> index 08fecf6..e3ba99c 100644
>>> --- a/options.h
>>> +++ b/options.h
>>> @@ -276,6 +276,8 @@ struct fw3_defaults
>>>   enum fw3_flag policy_forward;
>>> 
>>>   bool drop_invalid;
>>> +    bool tcp_reset_rejects;
>>> +    bool admin_prohib_rejects;
>>> 
>>>   bool syn_flood;
>>>   struct fw3_limit syn_flood_rate;
>>> --
>>> 2.7.4
>>> 
>>> 
>>> _______________________________________________
>>> openwrt-devel mailing list
>>> openwrt-devel at lists.openwrt.org
>>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>> 


_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list