Re: [OpenWrt-Devel] [PATCH] firewall3: make reject types selectable by user

Eric Luehrsen Tue, 03 Jul 2018 23:25:03 -0700

On 07/04/2018 01:39 AM, Alin Năstac wrote:

On Tue, Jul 3, 2018 at 11:32 PM Philip Prindeville
<philipp_s...@redfish-solutions.com> wrote:

On Jul 3, 2018, at 3:22 PM, Alin Năstac <alin.nas...@gmail.com> wrote:


On Tue, Jul 3, 2018 at 6:39 PM Philip Prindeville
<philipp_s...@redfish-solutions.com> wrote:


Aren’t all inbound SYNs unsolicited by definition? Is there a danger of 
reflection attacks?


Not all inbound SYNs are unsolicited. Take for instance active mode
FTP transfers where the client resides on the LAN . In this case the
FTP data connection is initiated from the WAN, but it is solicited by
the FTP control connection initiated from the LAN.

I don't think it matters that much what error code firewall returns
for these unsolicited  inbound SYNs, but this RFC makes
adm-prohibitited code a must.


I would have thought that dropping them would be better, since it avoids 
reflection attacks.


Whether you want to silently drop or reject unauthorized connection
attempts is a matter of local policy.

Besides, in order for a reflection attack against your LAN to succeed,
the source IP address of rejected packets must be part of the LAN
prefix. This can be easily prevented, either by enabling rpfilter or
just by adding a firewall rule when the LAN prefix is statically
allocated (the usual IPv4 case).

On Jul 2, 2018, at 9:29 AM, Alin Nastac <alin.nas...@gmail.com> wrote:

From: Alin Nastac <alin.nas...@gmail.com>

RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
code 1 (Communication with destination administratively prohibited).

Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
defaults.c | 21 ++++++++++++++++-----
options.h  |  2 ++
2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/defaults.c b/defaults.c
index 11fbf0d..6565ca2 100644
--- a/defaults.c
+++ b/defaults.c
@@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
   FW3_OPT("output",              target,   defaults, policy_output),

   FW3_OPT("drop_invalid",        bool,     defaults, drop_invalid),
+    FW3_OPT("tcp_reset_rejects",   bool,     defaults, tcp_reset_rejects),
+    FW3_OPT("admin_prohib_rejects",bool,     defaults, admin_prohib_rejects),

   FW3_OPT("syn_flood",           bool,     defaults, syn_flood),
   FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
@@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct 
uci_package *p)

   defs->syn_flood_rate.rate  = 25;
   defs->syn_flood_rate.burst = 50;
+    defs->tcp_reset_rejects    = true;
   defs->tcp_syncookies       = true;
   defs->tcp_window_scaling   = true;
   defs->custom_chains        = true;
@@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle 
*handle,
           fw3_ipt_rule_append(r, "INPUT");
       }

-        r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
-        fw3_ipt_rule_target(r, "REJECT");
-        fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
-        fw3_ipt_rule_append(r, "reject");
+        if (defs->tcp_reset_rejects)
+        {
+            r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
+            fw3_ipt_rule_target(r, "REJECT");
+            fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
+            fw3_ipt_rule_append(r, "reject");
+        }

       r = fw3_ipt_rule_new(handle);
       fw3_ipt_rule_target(r, "REJECT");
-        fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
+        fw3_ipt_rule_addarg(r, false, "--reject-with",
+            defs->admin_prohib_rejects ?
+                (handle->family == FW3_FAMILY_V6 ?
+                    "adm-prohibited" :
+                    "admin-prohib") :
+                "port-unreach");
       fw3_ipt_rule_append(r, "reject");

       break;
diff --git a/options.h b/options.h
index 08fecf6..e3ba99c 100644
--- a/options.h
+++ b/options.h
@@ -276,6 +276,8 @@ struct fw3_defaults
   enum fw3_flag policy_forward;

   bool drop_invalid;
+    bool tcp_reset_rejects;
+    bool admin_prohib_rejects;

   bool syn_flood;
   struct fw3_limit syn_flood_rate;
--
2.7.4

This could spawn a side topic: for all firewall block types would it beuseful to have a two tier response that is easily configurable for eachrule or as a global default. That is _overt_ rejection on the firstcounter per time, and then _covert_ drop after that for maybe 4x cooloff period. An honest address (DNS zone update) error would quicklyresolve itself while failing connections properly rather than longertime outs. An attack flood would not generate amplified noise.


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH] firewall3: make reject types selectable by user

Reply via email to