From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 5/6] firewall: Implement generating SYNPROXY rules
Date: Thu, 18 Apr 2024 21:11:43 +0000
Message-ID: <20240418211144.3318938-5-michael.tremer@ipfire.org>
In-Reply-To: <20240418211144.3318938-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0002631727774934975=="
List-Id: <development.lists.ipfire.org>

--===============0002631727774934975==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/firewall/rules.pl        | 12 ++++++++++++
 src/initscripts/system/firewall |  4 ++++
 2 files changed, 16 insertions(+)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index a47c260a1..e38f77242 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -297,6 +297,9 @@ sub buildrules {
 			$NAT_MODE =3D uc($$hash{$key}[31]);
 		}
=20
+		# Enable SYN flood protection?
+		my $SYN_FLOOD_PROTECTION =3D 0;
+
 		# Set up time constraints.
 		my @time_options =3D ();
 		if ($$hash{$key}[18] eq 'ON') {
@@ -370,6 +373,11 @@ sub buildrules {
 			}
 		}
=20
+		# DoS Protection
+		if (($elements ge 38) && ($$hash{$key}[37] eq "ON")) {
+			$SYN_FLOOD_PROTECTION =3D 1;
+		}
+
 		# Check which protocols are used in this rule and so that we can
 		# later group rules by protocols.
 		my @protocols =3D &get_protocols($hash, $key);
@@ -608,6 +616,10 @@ sub buildrules {
 					}
 					run("$IPTABLES -A $chain @options @source_intf_options @destination_int=
f_options -j $target");
=20
+					if ($SYN_FLOOD_PROTECTION && ($protocol eq "tcp")) {
+						run("$IPTABLES -t raw -A SYN_FLOOD_PROTECT @options -j CT --notrack");
+					}
+
 					# Handle forwarding rules and add corresponding rules for firewall acce=
ss.
 					if ($chain eq $CHAIN_FORWARD) {
 						# If the firewall is part of the destination subnet and access to the =
destination network
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 1250b9ff4..6727e4a20 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -407,6 +407,10 @@ iptables_init() {
 	iptables -t nat -N REDNAT
 	iptables -t nat -A POSTROUTING -j REDNAT
=20
+	# SYN Flood Protection
+	iptables -t raw -N SYN_FLOOD_PROTECT
+	iptables -t raw -A PREROUTING -p tcp --syn -j SYN_FLOOD_PROTECT
+
 	# Populate IPsec chains
 	/usr/lib/firewall/ipsec-policy
=20
--=20
2.39.2


--===============0002631727774934975==--