From mboxrd@z Thu Jan 1 00:00:00 1970 From: Horace Michael To: development@lists.ipfire.org Subject: Re: [PATCH] firewall: raise log rate limit to 10 packets per second Date: Mon, 29 Jul 2019 22:40:49 +0200 Message-ID: In-Reply-To: <9c3ea98b-5c45-425b-f3ce-b847bafa51c6@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8644680663402603180==" List-Id: --===============8644680663402603180== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, Would it be a good ideea to add root.servers in the CUSTOMINPUT and CUSTOMFOR= WARD chains, acction ACCEPT just in case that somebody uses the GeoIP feature= and blocks the countries where these servers resides? Ex: I just blocked Japan and Sweden in my Internet facing IPFire and rest IPF= ire boxes that uses it tries to access all ROOT Servers and can't reach the o= nes from blocked countries. First line is m.root-servers.net located in Japan and second line is i.root-s= ervers.net located in Sweden: Jul 29 22:16:27 internet_ipfire kernel: FORWARDFW IN=3Dgreen0 OUT=3Dppp0 MAC= =3D*************** SRC=3Da.b.c.d DST=3D202.12.27.33 LEN=3D75 TOS=3D0x00 PREC= =3D0x00 TTL=3D63 ID=3D966 PROTO=3DUDP SPT=3D58062 DPT=3D53 LEN=3D55 Jul 29 22:16:27 internet_ipfire kernel: FORWARDFW IN=3Dgreen0 OUT=3Dppp0 MAC= =3D*************** SRC=3Da.b.c.d DST=3D192.36.148.17 LEN=3D75 TOS=3D0x00 PREC= =3D0x00 TTL=3D63 ID=3D3289 PROTO=3DUDP SPT=3D30228 DPT=3D53 LEN=3D55 Horace > Sent: Monday, July 29, 2019 at 11:00 PM > From: "Peter M=C3=BCller" > To: "IPFire: Development-List" > Subject: [PATCH] firewall: raise log rate limit to 10 packets per second > > Previous setting was to log 10 packets per minute for each > event logging is turned on. This made debugging much harder, > as the limit was rather strict and chances of dropping a > packet without logging it were good. >=20 > This patch changes the log rate limit to 10 packets per > second per event, to avoid DoS attacks against the log file. > I plan to drop log rate limit entirely in future changes, > if a better solution for this attack vector is available. >=20 > Signed-off-by: Peter M=C3=BCller > Cc: Tim FitzGeorge > Cc: Michael Tremer > --- > config/rootfiles/core/135/filelists/files | 1 + > src/initscripts/system/firewall | 14 +++++++------- > 2 files changed, 8 insertions(+), 7 deletions(-) >=20 > diff --git a/config/rootfiles/core/135/filelists/files b/config/rootfiles/c= ore/135/filelists/files > index d8df9f65b..e5943ddc0 100644 > --- a/config/rootfiles/core/135/filelists/files > +++ b/config/rootfiles/core/135/filelists/files > @@ -5,6 +5,7 @@ var/ipfire/langs > etc/unbound/root.hints > etc/rc.d/helper/azure-setup > etc/rc.d/init.d/cloud-init > +etc/rc.d/init.d/firewall > etc/rc.d/init.d/functions > etc/rc.d/init.d/networking/red.down/05-remove-dns-forwarders > etc/rc.d/init.d/partresize > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew= all > index b3483a744..ec396c708 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -34,20 +34,20 @@ iptables_init() { > =20 > # Empty LOG_DROP and LOG_REJECT chains > iptables -N LOG_DROP > - iptables -A LOG_DROP -m limit --limit 10/minute -j LOG > + iptables -A LOG_DROP -m limit --limit 10/second -j LOG > iptables -A LOG_DROP -j DROP > iptables -N LOG_REJECT > - iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG > + iptables -A LOG_REJECT -m limit --limit 10/second -j LOG > iptables -A LOG_REJECT -j REJECT > =20 > # This chain will log, then DROPs packets with certain bad combinations > # of flags might indicate a port-scan attempt (xmas, null, etc) > iptables -N PSCAN > if [ "$DROPPORTSCAN" =3D=3D "on" ]; then > - iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix= "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" > - iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix= "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" > - iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix= "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" > - iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix= "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" > + iptables -A PSCAN -p tcp -m limit --limit 10/second -j LOG --log-prefix= "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" > + iptables -A PSCAN -p udp -m limit --limit 10/second -j LOG --log-prefix= "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" > + iptables -A PSCAN -p icmp -m limit --limit 10/second -j LOG --log-prefix= "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" > + iptables -A PSCAN -f -m limit --limit 10/second -j LOG --log-prefix= "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" > fi > iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan" > =20 > @@ -55,7 +55,7 @@ iptables_init() { > # that's not covered above, may just be a broken windows machine > iptables -N NEWNOTSYN > if [ "$DROPNEWNOTSYN" =3D=3D "on" ]; then > - iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "= DROP_NEWNOTSYN " > + iptables -A NEWNOTSYN -m limit --limit 10/second -j LOG --log-prefix "= DROP_NEWNOTSYN " > fi > iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN" > =20 > --=20 > 2.16.4 >=20 > --===============8644680663402603180==--