[PATCH 1/6] firewall: Split CONNTRACK chain

[PATCH 1/6] firewall: Split CONNTRACK chain

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1647 bytes --]

This is preparation to handle incoming/outgoing packets differently.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/firewall | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 69bdcb594..d14466ef0 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -149,10 +149,15 @@ iptables_init() {
 	fi
 	iptables -A CTINVALID  -j DROP -m comment --comment "DROP_CTINVALID"
 
-	iptables -N CONNTRACK
-	iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
-	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID
-	iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
+	iptables -N CTINPUT
+	iptables -A CTINPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+	iptables -A CTINPUT -m conntrack --ctstate INVALID -j CTINVALID
+	iptables -A CTINPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
+
+	iptables -N CTOUTPUT
+	iptables -A CTOUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+	iptables -A CTOUTPUT -m conntrack --ctstate INVALID -j CTINVALID
+	iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
 
 	# Restore any connection marks
 	iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
@@ -261,9 +266,9 @@ iptables_init() {
 	done
 
 	# Accept everything connected
-	for i in INPUT FORWARD OUTPUT; do
-		iptables -A ${i} -j CONNTRACK
-	done
+	iptables -A INPUT   -j CTINPUT
+	iptables -A FORWARD -j CTINPUT
+	iptables -A OUTPUT  -j CTOUTPUT
 
 	# Allow DHCP
 	iptables -N DHCPINPUT
-- 
2.39.2

[PATCH 2/6] firewall: Don't filter output INVALID packets

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 760 bytes --]

This should never cause any problems, but will cause that certain more
complicated featured like SYNPROXY won't work.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/firewall | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index d14466ef0..054d58c01 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -156,7 +156,6 @@ iptables_init() {
 
 	iptables -N CTOUTPUT
 	iptables -A CTOUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-	iptables -A CTOUTPUT -m conntrack --ctstate INVALID -j CTINVALID
 	iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
 
 	# Restore any connection marks
-- 
2.39.2

[PATCH 3/6] firewall: Enable SYNPROXY for untracked packets

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1232 bytes --]

This enables some DoS protection using SYNPROXY which will complete a
SYN handshake with the client before the connection is being forwarded.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/firewall | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 054d58c01..1250b9ff4 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -46,6 +46,20 @@ IPS_BYPASS_MASK="0x40000000"
 
 IPSET_DB_DIR="/var/lib/location/ipset"
 
+SYNPROXY_OPTIONS=(
+	# Allow clients to use Selective ACKs
+	"--sack-perm"
+
+	# Allow TCP Timestamps
+	#"--timestamp"
+
+	# Window Scaling
+	"--wscale" "9"
+
+	# Maximum Segment Size
+	"--mss" "1460"
+)
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -151,6 +165,8 @@ iptables_init() {
 
 	iptables -N CTINPUT
 	iptables -A CTINPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+	iptables -A CTINPUT -m conntrack --ctstate INVALID,UNTRACKED \
+		-p tcp -j SYNPROXY "${SYNPROXY_OPTIONS[@]}"
 	iptables -A CTINPUT -m conntrack --ctstate INVALID -j CTINVALID
 	iptables -A CTINPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
 
-- 
2.39.2

[PATCH 4/6] firewall.cgi: Add a checkbox to enable SYN flood protection

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 16136 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 doc/language_issues.de    |  1 +
 doc/language_issues.en    |  1 +
 doc/language_issues.es    |  1 +
 doc/language_issues.fr    |  1 +
 doc/language_issues.it    |  1 +
 doc/language_issues.nl    |  1 +
 doc/language_issues.pl    |  1 +
 doc/language_issues.ru    |  1 +
 doc/language_issues.tr    |  1 +
 doc/language_missings     |  8 ++++++++
 html/cgi-bin/firewall.cgi | 14 ++++++++++++--
 langs/en/cgi-bin/en.pl    |  1 +
 12 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 1ba77c94d..79b21fe24 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -894,6 +894,7 @@ WARNING: untranslated string: enable disable client = unknown string
 WARNING: untranslated string: enable disable dyndns = unknown string
 WARNING: untranslated string: error message = unknown string
 WARNING: untranslated string: error the to date has to be later than the from date = The to date has to be later than the from date!
+WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
 WARNING: untranslated string: fwhost cust locationgrp = unknown string
 WARNING: untranslated string: fwhost err hostip = unknown string
 WARNING: untranslated string: guardian block a host = unknown string
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 84bc8cdb0..2541ccf88 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -890,6 +890,7 @@ WARNING: untranslated string: fwdfw rulepos = Rule position
 WARNING: untranslated string: fwdfw snat = Source NAT
 WARNING: untranslated string: fwdfw source = Source
 WARNING: untranslated string: fwdfw sourceip = Source address (MAC/IP address or network):
+WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
 WARNING: untranslated string: fwdfw target = Destination
 WARNING: untranslated string: fwdfw targetip = Destination address (IP address or network):
 WARNING: untranslated string: fwdfw timeframe = Use time constraints
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 25ef7f9c5..4949d9335 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -958,6 +958,7 @@ WARNING: untranslated string: extrahd mounted = Mounted
 WARNING: untranslated string: extrahd no mount point given = No mount point given
 WARNING: untranslated string: extrahd not configured = Not configured
 WARNING: untranslated string: extrahd not mounted = Not mounted
+WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
 WARNING: untranslated string: fwhost cust locationgrp = unknown string
 WARNING: untranslated string: fwhost err hostip = unknown string
 WARNING: untranslated string: guardian block a host = unknown string
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 7aafc3053..fb29de25c 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -912,6 +912,7 @@ WARNING: untranslated string: enable disable client = unknown string
 WARNING: untranslated string: enable disable dyndns = unknown string
 WARNING: untranslated string: error message = unknown string
 WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string
+WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
 WARNING: untranslated string: fwhost cust locationgrp = unknown string
 WARNING: untranslated string: fwhost err hostip = unknown string
 WARNING: untranslated string: guardian block a host = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 7498e2af1..680cc5f4e 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1029,6 +1029,7 @@ WARNING: untranslated string: fwdfw limitconcon = Limit concurrent connections p
 WARNING: untranslated string: fwdfw maxconcon = Max. concurrent connections
 WARNING: untranslated string: fwdfw numcon = Number of connections
 WARNING: untranslated string: fwdfw ratelimit = Rate-limit new connections
+WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
 WARNING: untranslated string: fwhost addlocationgrp = Add new Location group
 WARNING: untranslated string: fwhost cust location = Location Groups
 WARNING: untranslated string: fwhost cust locationgroup = Location Groups
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 16e69bf27..de9dc112a 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1035,6 +1035,7 @@ WARNING: untranslated string: fwdfw limitconcon = Limit concurrent connections p
 WARNING: untranslated string: fwdfw maxconcon = Max. concurrent connections
 WARNING: untranslated string: fwdfw numcon = Number of connections
 WARNING: untranslated string: fwdfw ratelimit = Rate-limit new connections
+WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
 WARNING: untranslated string: fwhost addlocationgrp = Add new Location group
 WARNING: untranslated string: fwhost cust location = Location Groups
 WARNING: untranslated string: fwhost cust locationgroup = Location Groups
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 31c64c164..d52c29f6b 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1093,6 +1093,7 @@ WARNING: untranslated string: fwdfw rulepos = Rule position
 WARNING: untranslated string: fwdfw snat = Source NAT
 WARNING: untranslated string: fwdfw source = Source
 WARNING: untranslated string: fwdfw sourceip = Source address (MAC/IP address or network):
+WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
 WARNING: untranslated string: fwdfw target = Destination
 WARNING: untranslated string: fwdfw targetip = Destination address (IP address or network):
 WARNING: untranslated string: fwdfw timeframe = Use time constraints
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 9495d951e..3436c4a6e 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1090,6 +1090,7 @@ WARNING: untranslated string: fwdfw rulepos = Rule position
 WARNING: untranslated string: fwdfw snat = Source NAT
 WARNING: untranslated string: fwdfw source = Source
 WARNING: untranslated string: fwdfw sourceip = Source address (MAC/IP address or network):
+WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
 WARNING: untranslated string: fwdfw target = Destination
 WARNING: untranslated string: fwdfw targetip = Destination address (IP address or network):
 WARNING: untranslated string: fwdfw timeframe = Use time constraints
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index a2c134a2a..ca57075b1 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -977,6 +977,7 @@ WARNING: untranslated string: force enable = Forced
 WARNING: untranslated string: foreshadow = Foreshadow
 WARNING: untranslated string: fw red = Firewall options for RED interface
 WARNING: untranslated string: fwdfw all subnets = All subnets
+WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
 WARNING: untranslated string: fwhost cust locationgrp = unknown string
 WARNING: untranslated string: fwhost err hostip = unknown string
 WARNING: untranslated string: generate ptr = Generate PTR
diff --git a/doc/language_missings b/doc/language_missings
index 44d79f352..a214b8f9a 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -56,6 +56,7 @@
 < enable
 < error the to date has to be later than the from date
 < extrahd because it it outside the allowed mount path
+< fwdfw syn flood protection
 < g.dtm
 < g.lite
 < hostile networks in
@@ -120,6 +121,7 @@
 < extrahd no mount point given
 < extrahd not configured
 < extrahd not mounted
+< fwdfw syn flood protection
 < hardware vulnerabilities
 < hostile networks in
 < hostile networks out
@@ -148,6 +150,7 @@
 < bewan adsl pci st
 < bewan adsl usb
 < extrahd because it it outside the allowed mount path
+< fwdfw syn flood protection
 < g.dtm
 < g.lite
 < hostile networks total
@@ -365,6 +368,7 @@
 < fwdfw maxconcon
 < fwdfw numcon
 < fwdfw ratelimit
+< fwdfw syn flood protection
 < fwhost addlocationgrp
 < fwhost cust location
 < fwhost cust locationgroup
@@ -894,6 +898,7 @@
 < fwdfw maxconcon
 < fwdfw numcon
 < fwdfw ratelimit
+< fwdfw syn flood protection
 < fwhost addlocationgrp
 < fwhost cust location
 < fwhost cust locationgroup
@@ -1613,6 +1618,7 @@
 < fwdfw source
 < fwdfw sourceip
 < fwdfw std network
+< fwdfw syn flood protection
 < fwdfw target
 < fwdfw targetip
 < fwdfw till
@@ -2613,6 +2619,7 @@
 < fwdfw source
 < fwdfw sourceip
 < fwdfw std network
+< fwdfw syn flood protection
 < fwdfw target
 < fwdfw targetip
 < fwdfw till
@@ -3327,6 +3334,7 @@
 < force enable
 < foreshadow
 < fwdfw all subnets
+< fwdfw syn flood protection
 < fw red
 < generate ptr
 < hardware vulnerabilities
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index 681d42770..226d00838 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -301,8 +301,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 	#check if we have an identical rule already
 	if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){
 		foreach my $key (sort keys %rulehash){
-			if (   "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}"
-				eq "$rulehash{$key}[0],$rulehash{$key}[2],$rulehash{$key}[3],$rulehash{$key}[4],$rulehash{$key}[5],$rulehash{$key}[6],$rulehash{$key}[7],$rulehash{$key}[8],$rulehash{$key}[9],$rulehash{$key}[10],$rulehash{$key}[11],$rulehash{$key}[12],$rulehash{$key}[13],$rulehash{$key}[14],$rulehash{$key}[15],$rulehash{$key}[16],$rulehash{$key}[17],$rulehash{$key}[18],$rulehash{$key}[19],$rulehash{$key}[20],$rulehash{$key}[21],$rulehash{$key}[22],$rulehash{$key}[23],$rulehash{$key}[24],$rulehash{$key}[25],$rulehash{$key}[26],$rulehash{$key}[27],$rulehash{$key}[28],$rulehash{$key}[29],$rulehash{$key}[30],$rulehash{$key}[31],$rulehash{$key}[32],$rulehash{$key}[33],$rulehash{$key}[34],$rulehash{$key}[35],$rulehash{$key}[36]"){
+			if (   "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'},$fwdfwsettings{'SYN_FLOOD_PROTECTION'}"
+				eq "$rulehash{$key}[0],$rulehash{$key}[2],$rulehash{$key}[3],$rulehash{$key}[4],$rulehash{$key}[5],$rulehash{$key}[6],$rulehash{$key}[7],$rulehash{$key}[8],$rulehash{$key}[9],$rulehash{$key}[10],$rulehash{$key}[11],$rulehash{$key}[12],$rulehash{$key}[13],$rulehash{$key}[14],$rulehash{$key}[15],$rulehash{$key}[16],$rulehash{$key}[17],$rulehash{$key}[18],$rulehash{$key}[19],$rulehash{$key}[20],$rulehash{$key}[21],$rulehash{$key}[22],$rulehash{$key}[23],$rulehash{$key}[24],$rulehash{$key}[25],$rulehash{$key}[26],$rulehash{$key}[27],$rulehash{$key}[28],$rulehash{$key}[29],$rulehash{$key}[30],$rulehash{$key}[31],$rulehash{$key}[32],$rulehash{$key}[33],$rulehash{$key}[34],$rulehash{$key}[35],$rulehash{$key}[36],$rulehash{$key}[37]"){
 					$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
 					if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
 						$errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
@@ -1624,6 +1624,7 @@ sub newrule
 				$fwdfwsettings{'RATE_LIMIT'}			= $hash{$key}[34];
 				$fwdfwsettings{'ratecon'}				= $hash{$key}[35];
 				$fwdfwsettings{'RATETIME'}				= $hash{$key}[36];
+				$fwdfwsettings{'SYN_FLOOD_PROTECTION'}			= $hash{$key}[37];
 				$checked{'grp1'}{$fwdfwsettings{'grp1'}} 				= 'CHECKED';
 				$checked{'grp2'}{$fwdfwsettings{'grp2'}} 				= 'CHECKED';
 				$checked{'grp3'}{$fwdfwsettings{'grp3'}} 				= 'CHECKED';
@@ -1631,6 +1632,7 @@ sub newrule
 				$checked{'USESRV'}{$fwdfwsettings{'USESRV'}} 			= 'CHECKED';
 				$checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} 			= 'CHECKED';
 				$checked{'LOG'}{$fwdfwsettings{'LOG'}} 					= 'CHECKED';
+				$checked{'SYN_FLOOD_PROTECTION'}{$fwdfwsettings{'SYN_FLOOD_PROTECTION'}} 		= 'CHECKED';
 				$checked{'TIME'}{$fwdfwsettings{'TIME'}} 				= 'CHECKED';
 				$checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} 		= 'CHECKED';
 				$checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} 		= 'CHECKED';
@@ -2070,6 +2072,12 @@ END
 				</td>
 				<td>$Lang::tr{'fwdfw log rule'}</td>
 			</tr>
+			<tr>
+				<td>
+					<input type='checkbox' name='SYN_FLOOD_PROTECTION' value='ON' $checked{'SYN_FLOOD_PROTECTION'}{'ON'}>
+				</td>
+				<td>$Lang::tr{'fwdfw syn flood protection'}</td>
+			</tr>
 			<tr>
 				<td width='1%'>
 					<input type='checkbox' name='TIME' id="USE_TIME_CONSTRAINTS" value='ON' $checked{'TIME'}{'ON'}>
@@ -2341,6 +2349,7 @@ sub saverule
 			$$hash{$key}[34] = $fwdfwsettings{'RATE_LIMIT'};
 			$$hash{$key}[35] = $fwdfwsettings{'ratecon'};
 			$$hash{$key}[36] = $fwdfwsettings{'RATETIME'};
+			$$hash{$key}[37] = $fwdfwsettings{'SYN_FLOOD_PROTECTION'};
 			&General::writehasharray("$config", $hash);
 		}else{
 			foreach my $key (sort {$a <=> $b} keys %$hash){
@@ -2382,6 +2391,7 @@ sub saverule
 					$$hash{$key}[34] = $fwdfwsettings{'RATE_LIMIT'};
 					$$hash{$key}[35] = $fwdfwsettings{'ratecon'};
 					$$hash{$key}[36] = $fwdfwsettings{'RATETIME'};
+					$$hash{$key}[37] = $fwdfwsettings{'SYN_FLOOD_PROTECTION'};
 					last;
 				}
 			}
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index ee3a6c5aa..6e3a01555 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1246,6 +1246,7 @@
 'fwdfw source' => 'Source',
 'fwdfw sourceip' => 'Source address (MAC/IP address or network):',
 'fwdfw std network' => 'Standard networks:',
+'fwdfw syn flood protection' => 'Enable SYN Flood Protection (TCP only)',
 'fwdfw target' => 'Destination',
 'fwdfw targetip' => 'Destination address (IP address or network):',
 'fwdfw till' => 'Until:',
-- 
2.39.2

[PATCH 5/6] firewall: Implement generating SYNPROXY rules

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1996 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/firewall/rules.pl        | 12 ++++++++++++
 src/initscripts/system/firewall |  4 ++++
 2 files changed, 16 insertions(+)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index a47c260a1..e38f77242 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -297,6 +297,9 @@ sub buildrules {
 			$NAT_MODE = uc($$hash{$key}[31]);
 		}
 
+		# Enable SYN flood protection?
+		my $SYN_FLOOD_PROTECTION = 0;
+
 		# Set up time constraints.
 		my @time_options = ();
 		if ($$hash{$key}[18] eq 'ON') {
@@ -370,6 +373,11 @@ sub buildrules {
 			}
 		}
 
+		# DoS Protection
+		if (($elements ge 38) && ($$hash{$key}[37] eq "ON")) {
+			$SYN_FLOOD_PROTECTION = 1;
+		}
+
 		# Check which protocols are used in this rule and so that we can
 		# later group rules by protocols.
 		my @protocols = &get_protocols($hash, $key);
@@ -608,6 +616,10 @@ sub buildrules {
 					}
 					run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target");
 
+					if ($SYN_FLOOD_PROTECTION && ($protocol eq "tcp")) {
+						run("$IPTABLES -t raw -A SYN_FLOOD_PROTECT @options -j CT --notrack");
+					}
+
 					# Handle forwarding rules and add corresponding rules for firewall access.
 					if ($chain eq $CHAIN_FORWARD) {
 						# If the firewall is part of the destination subnet and access to the destination network
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 1250b9ff4..6727e4a20 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -407,6 +407,10 @@ iptables_init() {
 	iptables -t nat -N REDNAT
 	iptables -t nat -A POSTROUTING -j REDNAT
 
+	# SYN Flood Protection
+	iptables -t raw -N SYN_FLOOD_PROTECT
+	iptables -t raw -A PREROUTING -p tcp --syn -j SYN_FLOOD_PROTECT
+
 	# Populate IPsec chains
 	/usr/lib/firewall/ipsec-policy
 
-- 
2.39.2

[PATCH 6/6] sysctl: Conntrack: Disable picking up loose TCP connections

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 615 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/etc/sysctl.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 31a220e38..e35ee0dc4 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -35,6 +35,9 @@ net.ipv6.conf.default.disable_ipv6 = 1
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0
 
+# Do not try to pick up existing TCP connections in conntrack
+net.netfilter.nf_conntrack_tcp_loose = 0
+
 # Enable netfilter accounting
 net.netfilter.nf_conntrack_acct = 1
 
-- 
2.39.2