This is preparation to handle incoming/outgoing packets differently.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/firewall | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 69bdcb594..d14466ef0 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -149,10 +149,15 @@ iptables_init() { fi iptables -A CTINVALID -j DROP -m comment --comment "DROP_CTINVALID"
- iptables -N CONNTRACK - iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT - iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID - iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT + iptables -N CTINPUT + iptables -A CTINPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + iptables -A CTINPUT -m conntrack --ctstate INVALID -j CTINVALID + iptables -A CTINPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT + + iptables -N CTOUTPUT + iptables -A CTOUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + iptables -A CTOUTPUT -m conntrack --ctstate INVALID -j CTINVALID + iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
# Restore any connection marks iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark @@ -261,9 +266,9 @@ iptables_init() { done
# Accept everything connected - for i in INPUT FORWARD OUTPUT; do - iptables -A ${i} -j CONNTRACK - done + iptables -A INPUT -j CTINPUT + iptables -A FORWARD -j CTINPUT + iptables -A OUTPUT -j CTOUTPUT
# Allow DHCP iptables -N DHCPINPUT
This should never cause any problems, but will cause that certain more complicated featured like SYNPROXY won't work.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/firewall | 1 - 1 file changed, 1 deletion(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index d14466ef0..054d58c01 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -156,7 +156,6 @@ iptables_init() {
iptables -N CTOUTPUT iptables -A CTOUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT - iptables -A CTOUTPUT -m conntrack --ctstate INVALID -j CTINVALID iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
# Restore any connection marks
This enables some DoS protection using SYNPROXY which will complete a SYN handshake with the client before the connection is being forwarded.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- src/initscripts/system/firewall | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 054d58c01..1250b9ff4 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -46,6 +46,20 @@ IPS_BYPASS_MASK="0x40000000"
IPSET_DB_DIR="/var/lib/location/ipset"
+SYNPROXY_OPTIONS=( + # Allow clients to use Selective ACKs + "--sack-perm" + + # Allow TCP Timestamps + #"--timestamp" + + # Window Scaling + "--wscale" "9" + + # Maximum Segment Size + "--mss" "1460" +) + function iptables() { /sbin/iptables --wait "$@" } @@ -151,6 +165,8 @@ iptables_init() {
iptables -N CTINPUT iptables -A CTINPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + iptables -A CTINPUT -m conntrack --ctstate INVALID,UNTRACKED \ + -p tcp -j SYNPROXY "${SYNPROXY_OPTIONS[@]}" iptables -A CTINPUT -m conntrack --ctstate INVALID -j CTINVALID iptables -A CTINPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 8 ++++++++ html/cgi-bin/firewall.cgi | 14 ++++++++++++-- langs/en/cgi-bin/en.pl | 1 + 12 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/doc/language_issues.de b/doc/language_issues.de index 1ba77c94d..79b21fe24 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -894,6 +894,7 @@ WARNING: untranslated string: enable disable client = unknown string WARNING: untranslated string: enable disable dyndns = unknown string WARNING: untranslated string: error message = unknown string WARNING: untranslated string: error the to date has to be later than the from date = The to date has to be later than the from date! +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: guardian block a host = unknown string diff --git a/doc/language_issues.en b/doc/language_issues.en index 84bc8cdb0..2541ccf88 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -890,6 +890,7 @@ WARNING: untranslated string: fwdfw rulepos = Rule position WARNING: untranslated string: fwdfw snat = Source NAT WARNING: untranslated string: fwdfw source = Source WARNING: untranslated string: fwdfw sourceip = Source address (MAC/IP address or network): +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwdfw target = Destination WARNING: untranslated string: fwdfw targetip = Destination address (IP address or network): WARNING: untranslated string: fwdfw timeframe = Use time constraints diff --git a/doc/language_issues.es b/doc/language_issues.es index 25ef7f9c5..4949d9335 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -958,6 +958,7 @@ WARNING: untranslated string: extrahd mounted = Mounted WARNING: untranslated string: extrahd no mount point given = No mount point given WARNING: untranslated string: extrahd not configured = Not configured WARNING: untranslated string: extrahd not mounted = Not mounted +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: guardian block a host = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 7aafc3053..fb29de25c 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -912,6 +912,7 @@ WARNING: untranslated string: enable disable client = unknown string WARNING: untranslated string: enable disable dyndns = unknown string WARNING: untranslated string: error message = unknown string WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: guardian block a host = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 7498e2af1..680cc5f4e 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1029,6 +1029,7 @@ WARNING: untranslated string: fwdfw limitconcon = Limit concurrent connections p WARNING: untranslated string: fwdfw maxconcon = Max. concurrent connections WARNING: untranslated string: fwdfw numcon = Number of connections WARNING: untranslated string: fwdfw ratelimit = Rate-limit new connections +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost addlocationgrp = Add new Location group WARNING: untranslated string: fwhost cust location = Location Groups WARNING: untranslated string: fwhost cust locationgroup = Location Groups diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 16e69bf27..de9dc112a 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1035,6 +1035,7 @@ WARNING: untranslated string: fwdfw limitconcon = Limit concurrent connections p WARNING: untranslated string: fwdfw maxconcon = Max. concurrent connections WARNING: untranslated string: fwdfw numcon = Number of connections WARNING: untranslated string: fwdfw ratelimit = Rate-limit new connections +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost addlocationgrp = Add new Location group WARNING: untranslated string: fwhost cust location = Location Groups WARNING: untranslated string: fwhost cust locationgroup = Location Groups diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 31c64c164..d52c29f6b 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1093,6 +1093,7 @@ WARNING: untranslated string: fwdfw rulepos = Rule position WARNING: untranslated string: fwdfw snat = Source NAT WARNING: untranslated string: fwdfw source = Source WARNING: untranslated string: fwdfw sourceip = Source address (MAC/IP address or network): +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwdfw target = Destination WARNING: untranslated string: fwdfw targetip = Destination address (IP address or network): WARNING: untranslated string: fwdfw timeframe = Use time constraints diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 9495d951e..3436c4a6e 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1090,6 +1090,7 @@ WARNING: untranslated string: fwdfw rulepos = Rule position WARNING: untranslated string: fwdfw snat = Source NAT WARNING: untranslated string: fwdfw source = Source WARNING: untranslated string: fwdfw sourceip = Source address (MAC/IP address or network): +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwdfw target = Destination WARNING: untranslated string: fwdfw targetip = Destination address (IP address or network): WARNING: untranslated string: fwdfw timeframe = Use time constraints diff --git a/doc/language_issues.tr b/doc/language_issues.tr index a2c134a2a..ca57075b1 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -977,6 +977,7 @@ WARNING: untranslated string: force enable = Forced WARNING: untranslated string: foreshadow = Foreshadow WARNING: untranslated string: fw red = Firewall options for RED interface WARNING: untranslated string: fwdfw all subnets = All subnets +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: generate ptr = Generate PTR diff --git a/doc/language_missings b/doc/language_missings index 44d79f352..a214b8f9a 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -56,6 +56,7 @@ < enable < error the to date has to be later than the from date < extrahd because it it outside the allowed mount path +< fwdfw syn flood protection < g.dtm < g.lite < hostile networks in @@ -120,6 +121,7 @@ < extrahd no mount point given < extrahd not configured < extrahd not mounted +< fwdfw syn flood protection < hardware vulnerabilities < hostile networks in < hostile networks out @@ -148,6 +150,7 @@ < bewan adsl pci st < bewan adsl usb < extrahd because it it outside the allowed mount path +< fwdfw syn flood protection < g.dtm < g.lite < hostile networks total @@ -365,6 +368,7 @@ < fwdfw maxconcon < fwdfw numcon < fwdfw ratelimit +< fwdfw syn flood protection < fwhost addlocationgrp < fwhost cust location < fwhost cust locationgroup @@ -894,6 +898,7 @@ < fwdfw maxconcon < fwdfw numcon < fwdfw ratelimit +< fwdfw syn flood protection < fwhost addlocationgrp < fwhost cust location < fwhost cust locationgroup @@ -1613,6 +1618,7 @@ < fwdfw source < fwdfw sourceip < fwdfw std network +< fwdfw syn flood protection < fwdfw target < fwdfw targetip < fwdfw till @@ -2613,6 +2619,7 @@ < fwdfw source < fwdfw sourceip < fwdfw std network +< fwdfw syn flood protection < fwdfw target < fwdfw targetip < fwdfw till @@ -3327,6 +3334,7 @@ < force enable < foreshadow < fwdfw all subnets +< fwdfw syn flood protection < fw red < generate ptr < hardware vulnerabilities diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 681d42770..226d00838 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -301,8 +301,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #check if we have an identical rule already if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ foreach my $key (sort keys %rulehash){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" - eq "$rulehash{$key}[0],$rulehash{$key}[2],$rulehash{$key}[3],$rulehash{$key}[4],$rulehash{$key}[5],$rulehash{$key}[6],$rulehash{$key}[7],$rulehash{$key}[8],$rulehash{$key}[9],$rulehash{$key}[10],$rulehash{$key}[11],$rulehash{$key}[12],$rulehash{$key}[13],$rulehash{$key}[14],$rulehash{$key}[15],$rulehash{$key}[16],$rulehash{$key}[17],$rulehash{$key}[18],$rulehash{$key}[19],$rulehash{$key}[20],$rulehash{$key}[21],$rulehash{$key}[22],$rulehash{$key}[23],$rulehash{$key}[24],$rulehash{$key}[25],$rulehash{$key}[26],$rulehash{$key}[27],$rulehash{$key}[28],$rulehash{$key}[29],$rulehash{$key}[30],$rulehash{$key}[31],$rulehash{$key}[32],$rulehash{$key}[33],$rulehash{$key}[34],$rulehash{$key}[35],$rulehash{$key}[36]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'},$fwdfwsettings{'SYN_FLOOD_PROTECTION'}" + eq "$rulehash{$key}[0],$rulehash{$key}[2],$rulehash{$key}[3],$rulehash{$key}[4],$rulehash{$key}[5],$rulehash{$key}[6],$rulehash{$key}[7],$rulehash{$key}[8],$rulehash{$key}[9],$rulehash{$key}[10],$rulehash{$key}[11],$rulehash{$key}[12],$rulehash{$key}[13],$rulehash{$key}[14],$rulehash{$key}[15],$rulehash{$key}[16],$rulehash{$key}[17],$rulehash{$key}[18],$rulehash{$key}[19],$rulehash{$key}[20],$rulehash{$key}[21],$rulehash{$key}[22],$rulehash{$key}[23],$rulehash{$key}[24],$rulehash{$key}[25],$rulehash{$key}[26],$rulehash{$key}[27],$rulehash{$key}[28],$rulehash{$key}[29],$rulehash{$key}[30],$rulehash{$key}[31],$rulehash{$key}[32],$rulehash{$key}[33],$rulehash{$key}[34],$rulehash{$key}[35],$rulehash{$key}[36],$rulehash{$key}[37]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."<br>"; @@ -1624,6 +1624,7 @@ sub newrule $fwdfwsettings{'RATE_LIMIT'} = $hash{$key}[34]; $fwdfwsettings{'ratecon'} = $hash{$key}[35]; $fwdfwsettings{'RATETIME'} = $hash{$key}[36]; + $fwdfwsettings{'SYN_FLOOD_PROTECTION'} = $hash{$key}[37]; $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; @@ -1631,6 +1632,7 @@ sub newrule $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; + $checked{'SYN_FLOOD_PROTECTION'}{$fwdfwsettings{'SYN_FLOOD_PROTECTION'}} = 'CHECKED'; $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; @@ -2070,6 +2072,12 @@ END </td> <td>$Lang::tr{'fwdfw log rule'}</td> </tr> + <tr> + <td> + <input type='checkbox' name='SYN_FLOOD_PROTECTION' value='ON' $checked{'SYN_FLOOD_PROTECTION'}{'ON'}> + </td> + <td>$Lang::tr{'fwdfw syn flood protection'}</td> + </tr> <tr> <td width='1%'> <input type='checkbox' name='TIME' id="USE_TIME_CONSTRAINTS" value='ON' $checked{'TIME'}{'ON'}> @@ -2341,6 +2349,7 @@ sub saverule $$hash{$key}[34] = $fwdfwsettings{'RATE_LIMIT'}; $$hash{$key}[35] = $fwdfwsettings{'ratecon'}; $$hash{$key}[36] = $fwdfwsettings{'RATETIME'}; + $$hash{$key}[37] = $fwdfwsettings{'SYN_FLOOD_PROTECTION'}; &General::writehasharray("$config", $hash); }else{ foreach my $key (sort {$a <=> $b} keys %$hash){ @@ -2382,6 +2391,7 @@ sub saverule $$hash{$key}[34] = $fwdfwsettings{'RATE_LIMIT'}; $$hash{$key}[35] = $fwdfwsettings{'ratecon'}; $$hash{$key}[36] = $fwdfwsettings{'RATETIME'}; + $$hash{$key}[37] = $fwdfwsettings{'SYN_FLOOD_PROTECTION'}; last; } } diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ee3a6c5aa..6e3a01555 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1246,6 +1246,7 @@ 'fwdfw source' => 'Source', 'fwdfw sourceip' => 'Source address (MAC/IP address or network):', 'fwdfw std network' => 'Standard networks:', +'fwdfw syn flood protection' => 'Enable SYN Flood Protection (TCP only)', 'fwdfw target' => 'Destination', 'fwdfw targetip' => 'Destination address (IP address or network):', 'fwdfw till' => 'Until:',
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/firewall/rules.pl | 12 ++++++++++++ src/initscripts/system/firewall | 4 ++++ 2 files changed, 16 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index a47c260a1..e38f77242 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -297,6 +297,9 @@ sub buildrules { $NAT_MODE = uc($$hash{$key}[31]); }
+ # Enable SYN flood protection? + my $SYN_FLOOD_PROTECTION = 0; + # Set up time constraints. my @time_options = (); if ($$hash{$key}[18] eq 'ON') { @@ -370,6 +373,11 @@ sub buildrules { } }
+ # DoS Protection + if (($elements ge 38) && ($$hash{$key}[37] eq "ON")) { + $SYN_FLOOD_PROTECTION = 1; + } + # Check which protocols are used in this rule and so that we can # later group rules by protocols. my @protocols = &get_protocols($hash, $key); @@ -608,6 +616,10 @@ sub buildrules { } run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target");
+ if ($SYN_FLOOD_PROTECTION && ($protocol eq "tcp")) { + run("$IPTABLES -t raw -A SYN_FLOOD_PROTECT @options -j CT --notrack"); + } + # Handle forwarding rules and add corresponding rules for firewall access. if ($chain eq $CHAIN_FORWARD) { # If the firewall is part of the destination subnet and access to the destination network diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 1250b9ff4..6727e4a20 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -407,6 +407,10 @@ iptables_init() { iptables -t nat -N REDNAT iptables -t nat -A POSTROUTING -j REDNAT
+ # SYN Flood Protection + iptables -t raw -N SYN_FLOOD_PROTECT + iptables -t raw -A PREROUTING -p tcp --syn -j SYN_FLOOD_PROTECT + # Populate IPsec chains /usr/lib/firewall/ipsec-policy
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/etc/sysctl.conf | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 31a220e38..e35ee0dc4 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -35,6 +35,9 @@ net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0
+# Do not try to pick up existing TCP connections in conntrack +net.netfilter.nf_conntrack_tcp_loose = 0 + # Enable netfilter accounting net.netfilter.nf_conntrack_acct = 1