> On Jul 3, 2018, at 3:22 PM, Alin Năstac <alin.nas...@gmail.com> wrote: > > On Tue, Jul 3, 2018 at 6:39 PM Philip Prindeville > <philipp_s...@redfish-solutions.com> wrote: >> >> Aren’t all inbound SYNs unsolicited by definition? Is there a danger of >> reflection attacks? > > Not all inbound SYNs are unsolicited. Take for instance active mode > FTP transfers where the client resides on the LAN . In this case the > FTP data connection is initiated from the WAN, but it is solicited by > the FTP control connection initiated from the LAN. > > I don't think it matters that much what error code firewall returns > for these unsolicited inbound SYNs, but this RFC makes > adm-prohibitited code a must.
I would have thought that dropping them would be better, since it avoids reflection attacks. -Philip > >> Sent from my iPhone >>> On Jul 2, 2018, at 9:29 AM, Alin Nastac <alin.nas...@gmail.com> wrote: >>> >>> From: Alin Nastac <alin.nas...@gmail.com> >>> >>> RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to >>> unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error >>> code 1 (Communication with destination administratively prohibited). >>> >>> Signed-off-by: Alin Nastac <alin.nas...@gmail.com> >>> --- >>> defaults.c | 21 ++++++++++++++++----- >>> options.h | 2 ++ >>> 2 files changed, 18 insertions(+), 5 deletions(-) >>> >>> diff --git a/defaults.c b/defaults.c >>> index 11fbf0d..6565ca2 100644 >>> --- a/defaults.c >>> +++ b/defaults.c >>> @@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = { >>> FW3_OPT("output", target, defaults, policy_output), >>> >>> FW3_OPT("drop_invalid", bool, defaults, drop_invalid), >>> + FW3_OPT("tcp_reset_rejects", bool, defaults, tcp_reset_rejects), >>> + FW3_OPT("admin_prohib_rejects",bool, defaults, >>> admin_prohib_rejects), >>> >>> FW3_OPT("syn_flood", bool, defaults, syn_flood), >>> FW3_OPT("synflood_protect", bool, defaults, syn_flood), >>> @@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct >>> uci_package *p) >>> >>> defs->syn_flood_rate.rate = 25; >>> defs->syn_flood_rate.burst = 50; >>> + defs->tcp_reset_rejects = true; >>> defs->tcp_syncookies = true; >>> defs->tcp_window_scaling = true; >>> defs->custom_chains = true; >>> @@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle >>> *handle, >>> fw3_ipt_rule_append(r, "INPUT"); >>> } >>> >>> - r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL); >>> - fw3_ipt_rule_target(r, "REJECT"); >>> - fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset"); >>> - fw3_ipt_rule_append(r, "reject"); >>> + if (defs->tcp_reset_rejects) >>> + { >>> + r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL); >>> + fw3_ipt_rule_target(r, "REJECT"); >>> + fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset"); >>> + fw3_ipt_rule_append(r, "reject"); >>> + } >>> >>> r = fw3_ipt_rule_new(handle); >>> fw3_ipt_rule_target(r, "REJECT"); >>> - fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach"); >>> + fw3_ipt_rule_addarg(r, false, "--reject-with", >>> + defs->admin_prohib_rejects ? >>> + (handle->family == FW3_FAMILY_V6 ? >>> + "adm-prohibited" : >>> + "admin-prohib") : >>> + "port-unreach"); >>> fw3_ipt_rule_append(r, "reject"); >>> >>> break; >>> diff --git a/options.h b/options.h >>> index 08fecf6..e3ba99c 100644 >>> --- a/options.h >>> +++ b/options.h >>> @@ -276,6 +276,8 @@ struct fw3_defaults >>> enum fw3_flag policy_forward; >>> >>> bool drop_invalid; >>> + bool tcp_reset_rejects; >>> + bool admin_prohib_rejects; >>> >>> bool syn_flood; >>> struct fw3_limit syn_flood_rate; >>> -- >>> 2.7.4 >>> >>> >>> _______________________________________________ >>> openwrt-devel mailing list >>> openwrt-devel@lists.openwrt.org >>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel >> _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel