[OpenWrt-Devel] [PATCH] firewall3: make reject types selectable by user

Eric Luehrsen ericluehrsen at gmail.com
Wed Jul 4 02:23:56 EDT 2018 

On 07/04/2018 01:39 AM, Alin Năstac wrote:
> On Tue, Jul 3, 2018 at 11:32 PM Philip Prindeville
> <philipp_subx at redfish-solutions.com> wrote:
>>> On Jul 3, 2018, at 3:22 PM, Alin Năstac <alin.nastac at gmail.com> wrote:
>>>
>>> On Tue, Jul 3, 2018 at 6:39 PM Philip Prindeville
>>> <philipp_subx at redfish-solutions.com> wrote:
>>>>
>>>> Aren’t all inbound SYNs unsolicited by definition? Is there a danger of reflection attacks?
>>>
>>> Not all inbound SYNs are unsolicited. Take for instance active mode
>>> FTP transfers where the client resides on the LAN . In this case the
>>> FTP data connection is initiated from the WAN, but it is solicited by
>>> the FTP control connection initiated from the LAN.
>>>
>>> I don't think it matters that much what error code firewall returns
>>> for these unsolicited  inbound SYNs, but this RFC makes
>>> adm-prohibitited code a must.
>>
>> I would have thought that dropping them would be better, since it avoids reflection attacks.
> 
> Whether you want to silently drop or reject unauthorized connection
> attempts is a matter of local policy.
> 
> Besides, in order for a reflection attack against your LAN to succeed,
> the source IP address of rejected packets must be part of the LAN
> prefix. This can be easily prevented, either by enabling rpfilter or
> just by adding a firewall rule when the LAN prefix is statically
> allocated (the usual IPv4 case).
> 
>>>>> On Jul 2, 2018, at 9:29 AM, Alin Nastac <alin.nastac at gmail.com> wrote:
>>>>>
>>>>> From: Alin Nastac <alin.nastac at gmail.com>
>>>>>
>>>>> RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
>>>>> unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
>>>>> code 1 (Communication with destination administratively prohibited).
>>>>>
>>>>> Signed-off-by: Alin Nastac <alin.nastac at gmail.com>
>>>>> ---
>>>>> defaults.c | 21 ++++++++++++++++-----
>>>>> options.h  |  2 ++
>>>>> 2 files changed, 18 insertions(+), 5 deletions(-)
>>>>>
>>>>> diff --git a/defaults.c b/defaults.c
>>>>> index 11fbf0d..6565ca2 100644
>>>>> --- a/defaults.c
>>>>> +++ b/defaults.c
>>>>> @@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
>>>>>    FW3_OPT("output",              target,   defaults, policy_output),
>>>>>
>>>>>    FW3_OPT("drop_invalid",        bool,     defaults, drop_invalid),
>>>>> +    FW3_OPT("tcp_reset_rejects",   bool,     defaults, tcp_reset_rejects),
>>>>> +    FW3_OPT("admin_prohib_rejects",bool,     defaults, admin_prohib_rejects),
>>>>>
>>>>>    FW3_OPT("syn_flood",           bool,     defaults, syn_flood),
>>>>>    FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
>>>>> @@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
>>>>>
>>>>>    defs->syn_flood_rate.rate  = 25;
>>>>>    defs->syn_flood_rate.burst = 50;
>>>>> +    defs->tcp_reset_rejects    = true;
>>>>>    defs->tcp_syncookies       = true;
>>>>>    defs->tcp_window_scaling   = true;
>>>>>    defs->custom_chains        = true;
>>>>> @@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
>>>>>            fw3_ipt_rule_append(r, "INPUT");
>>>>>        }
>>>>>
>>>>> -        r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
>>>>> -        fw3_ipt_rule_target(r, "REJECT");
>>>>> -        fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
>>>>> -        fw3_ipt_rule_append(r, "reject");
>>>>> +        if (defs->tcp_reset_rejects)
>>>>> +        {
>>>>> +            r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
>>>>> +            fw3_ipt_rule_target(r, "REJECT");
>>>>> +            fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
>>>>> +            fw3_ipt_rule_append(r, "reject");
>>>>> +        }
>>>>>
>>>>>        r = fw3_ipt_rule_new(handle);
>>>>>        fw3_ipt_rule_target(r, "REJECT");
>>>>> -        fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
>>>>> +        fw3_ipt_rule_addarg(r, false, "--reject-with",
>>>>> +            defs->admin_prohib_rejects ?
>>>>> +                (handle->family == FW3_FAMILY_V6 ?
>>>>> +                    "adm-prohibited" :
>>>>> +                    "admin-prohib") :
>>>>> +                "port-unreach");
>>>>>        fw3_ipt_rule_append(r, "reject");
>>>>>
>>>>>        break;
>>>>> diff --git a/options.h b/options.h
>>>>> index 08fecf6..e3ba99c 100644
>>>>> --- a/options.h
>>>>> +++ b/options.h
>>>>> @@ -276,6 +276,8 @@ struct fw3_defaults
>>>>>    enum fw3_flag policy_forward;
>>>>>
>>>>>    bool drop_invalid;
>>>>> +    bool tcp_reset_rejects;
>>>>> +    bool admin_prohib_rejects;
>>>>>
>>>>>    bool syn_flood;
>>>>>    struct fw3_limit syn_flood_rate;
>>>>> --
>>>>> 2.7.4

This could spawn a side topic: for all firewall block types would it be 
useful to have a two tier response that is easily configurable for each 
rule or as a global default. That is _overt_ rejection on the first 
counter per time, and then _covert_ drop after that for maybe 4x cool 
off period. An honest address (DNS zone update) error would quickly 
resolve itself while failing connections properly rather than longer 
time outs. An attack flood would not generate amplified noise.

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list