Aren’t all inbound SYNs unsolicited by definition? Is there a danger of reflection attacks?
Sent from my iPhone > On Jul 2, 2018, at 9:29 AM, Alin Nastac <alin.nas...@gmail.com> wrote: > > From: Alin Nastac <alin.nas...@gmail.com> > > RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to > unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error > code 1 (Communication with destination administratively prohibited). > > Signed-off-by: Alin Nastac <alin.nas...@gmail.com> > --- > defaults.c | 21 ++++++++++++++++----- > options.h | 2 ++ > 2 files changed, 18 insertions(+), 5 deletions(-) > > diff --git a/defaults.c b/defaults.c > index 11fbf0d..6565ca2 100644 > --- a/defaults.c > +++ b/defaults.c > @@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = { > FW3_OPT("output", target, defaults, policy_output), > > FW3_OPT("drop_invalid", bool, defaults, drop_invalid), > + FW3_OPT("tcp_reset_rejects", bool, defaults, tcp_reset_rejects), > + FW3_OPT("admin_prohib_rejects",bool, defaults, admin_prohib_rejects), > > FW3_OPT("syn_flood", bool, defaults, syn_flood), > FW3_OPT("synflood_protect", bool, defaults, syn_flood), > @@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct > uci_package *p) > > defs->syn_flood_rate.rate = 25; > defs->syn_flood_rate.burst = 50; > + defs->tcp_reset_rejects = true; > defs->tcp_syncookies = true; > defs->tcp_window_scaling = true; > defs->custom_chains = true; > @@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle > *handle, > fw3_ipt_rule_append(r, "INPUT"); > } > > - r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL); > - fw3_ipt_rule_target(r, "REJECT"); > - fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset"); > - fw3_ipt_rule_append(r, "reject"); > + if (defs->tcp_reset_rejects) > + { > + r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL); > + fw3_ipt_rule_target(r, "REJECT"); > + fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset"); > + fw3_ipt_rule_append(r, "reject"); > + } > > r = fw3_ipt_rule_new(handle); > fw3_ipt_rule_target(r, "REJECT"); > - fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach"); > + fw3_ipt_rule_addarg(r, false, "--reject-with", > + defs->admin_prohib_rejects ? > + (handle->family == FW3_FAMILY_V6 ? > + "adm-prohibited" : > + "admin-prohib") : > + "port-unreach"); > fw3_ipt_rule_append(r, "reject"); > > break; > diff --git a/options.h b/options.h > index 08fecf6..e3ba99c 100644 > --- a/options.h > +++ b/options.h > @@ -276,6 +276,8 @@ struct fw3_defaults > enum fw3_flag policy_forward; > > bool drop_invalid; > + bool tcp_reset_rejects; > + bool admin_prohib_rejects; > > bool syn_flood; > struct fw3_limit syn_flood_rate; > -- > 2.7.4 > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel