diff mbox series

[OpenWrt-Devel] firewall3: make reject types selectable by user

Message ID 1530545351-24848-1-git-send-email-alin.nastac@technicolor.com
State Superseded
Delegated to: John Crispin
Headers show
Series [OpenWrt-Devel] firewall3: make reject types selectable by user | expand

Commit Message

Alin Năstac July 2, 2018, 3:29 p.m. UTC 
From: Alin Nastac <alin.nastac@gmail.com>

RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
code 1 (Communication with destination administratively prohibited).

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
---
 defaults.c | 21 ++++++++++++++++-----
 options.h  |  2 ++
 2 files changed, 18 insertions(+), 5 deletions(-)

Comments

Philip Prindeville July 3, 2018, 4:39 p.m. UTC | #1 
Aren’t all inbound SYNs unsolicited by definition? Is there a danger of reflection attacks?



Sent from my iPhone
> On Jul 2, 2018, at 9:29 AM, Alin Nastac <alin.nastac@gmail.com> wrote:
> 
> From: Alin Nastac <alin.nastac@gmail.com>
> 
> RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
> unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
> code 1 (Communication with destination administratively prohibited).
> 
> Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
> ---
> defaults.c | 21 ++++++++++++++++-----
> options.h  |  2 ++
> 2 files changed, 18 insertions(+), 5 deletions(-)
> 
> diff --git a/defaults.c b/defaults.c
> index 11fbf0d..6565ca2 100644
> --- a/defaults.c
> +++ b/defaults.c
> @@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
>    FW3_OPT("output",              target,   defaults, policy_output),
> 
>    FW3_OPT("drop_invalid",        bool,     defaults, drop_invalid),
> +    FW3_OPT("tcp_reset_rejects",   bool,     defaults, tcp_reset_rejects),
> +    FW3_OPT("admin_prohib_rejects",bool,     defaults, admin_prohib_rejects),
> 
>    FW3_OPT("syn_flood",           bool,     defaults, syn_flood),
>    FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
> @@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
> 
>    defs->syn_flood_rate.rate  = 25;
>    defs->syn_flood_rate.burst = 50;
> +    defs->tcp_reset_rejects    = true;
>    defs->tcp_syncookies       = true;
>    defs->tcp_window_scaling   = true;
>    defs->custom_chains        = true;
> @@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
>            fw3_ipt_rule_append(r, "INPUT");
>        }
> 
> -        r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
> -        fw3_ipt_rule_target(r, "REJECT");
> -        fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
> -        fw3_ipt_rule_append(r, "reject");
> +        if (defs->tcp_reset_rejects)
> +        {
> +            r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
> +            fw3_ipt_rule_target(r, "REJECT");
> +            fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
> +            fw3_ipt_rule_append(r, "reject");
> +        }
> 
>        r = fw3_ipt_rule_new(handle);
>        fw3_ipt_rule_target(r, "REJECT");
> -        fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
> +        fw3_ipt_rule_addarg(r, false, "--reject-with",
> +            defs->admin_prohib_rejects ?
> +                (handle->family == FW3_FAMILY_V6 ?
> +                    "adm-prohibited" :
> +                    "admin-prohib") :
> +                "port-unreach");
>        fw3_ipt_rule_append(r, "reject");
> 
>        break;
> diff --git a/options.h b/options.h
> index 08fecf6..e3ba99c 100644
> --- a/options.h
> +++ b/options.h
> @@ -276,6 +276,8 @@ struct fw3_defaults
>    enum fw3_flag policy_forward;
> 
>    bool drop_invalid;
> +    bool tcp_reset_rejects;
> +    bool admin_prohib_rejects;
> 
>    bool syn_flood;
>    struct fw3_limit syn_flood_rate;
> -- 
> 2.7.4
> 
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Alin Năstac July 3, 2018, 9:22 p.m. UTC | #2 
On Tue, Jul 3, 2018 at 6:39 PM Philip Prindeville
<philipp_subx@redfish-solutions.com> wrote:
>
> Aren’t all inbound SYNs unsolicited by definition? Is there a danger of reflection attacks?

Not all inbound SYNs are unsolicited. Take for instance active mode
FTP transfers where the client resides on the LAN . In this case the
FTP data connection is initiated from the WAN, but it is solicited by
the FTP control connection initiated from the LAN.

I don't think it matters that much what error code firewall returns
for these unsolicited  inbound SYNs, but this RFC makes
adm-prohibitited code a must.

> Sent from my iPhone
> > On Jul 2, 2018, at 9:29 AM, Alin Nastac <alin.nastac@gmail.com> wrote:
> >
> > From: Alin Nastac <alin.nastac@gmail.com>
> >
> > RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
> > unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
> > code 1 (Communication with destination administratively prohibited).
> >
> > Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
> > ---
> > defaults.c | 21 ++++++++++++++++-----
> > options.h  |  2 ++
> > 2 files changed, 18 insertions(+), 5 deletions(-)
> >
> > diff --git a/defaults.c b/defaults.c
> > index 11fbf0d..6565ca2 100644
> > --- a/defaults.c
> > +++ b/defaults.c
> > @@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
> >    FW3_OPT("output",              target,   defaults, policy_output),
> >
> >    FW3_OPT("drop_invalid",        bool,     defaults, drop_invalid),
> > +    FW3_OPT("tcp_reset_rejects",   bool,     defaults, tcp_reset_rejects),
> > +    FW3_OPT("admin_prohib_rejects",bool,     defaults, admin_prohib_rejects),
> >
> >    FW3_OPT("syn_flood",           bool,     defaults, syn_flood),
> >    FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
> > @@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
> >
> >    defs->syn_flood_rate.rate  = 25;
> >    defs->syn_flood_rate.burst = 50;
> > +    defs->tcp_reset_rejects    = true;
> >    defs->tcp_syncookies       = true;
> >    defs->tcp_window_scaling   = true;
> >    defs->custom_chains        = true;
> > @@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
> >            fw3_ipt_rule_append(r, "INPUT");
> >        }
> >
> > -        r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
> > -        fw3_ipt_rule_target(r, "REJECT");
> > -        fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
> > -        fw3_ipt_rule_append(r, "reject");
> > +        if (defs->tcp_reset_rejects)
> > +        {
> > +            r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
> > +            fw3_ipt_rule_target(r, "REJECT");
> > +            fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
> > +            fw3_ipt_rule_append(r, "reject");
> > +        }
> >
> >        r = fw3_ipt_rule_new(handle);
> >        fw3_ipt_rule_target(r, "REJECT");
> > -        fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
> > +        fw3_ipt_rule_addarg(r, false, "--reject-with",
> > +            defs->admin_prohib_rejects ?
> > +                (handle->family == FW3_FAMILY_V6 ?
> > +                    "adm-prohibited" :
> > +                    "admin-prohib") :
> > +                "port-unreach");
> >        fw3_ipt_rule_append(r, "reject");
> >
> >        break;
> > diff --git a/options.h b/options.h
> > index 08fecf6..e3ba99c 100644
> > --- a/options.h
> > +++ b/options.h
> > @@ -276,6 +276,8 @@ struct fw3_defaults
> >    enum fw3_flag policy_forward;
> >
> >    bool drop_invalid;
> > +    bool tcp_reset_rejects;
> > +    bool admin_prohib_rejects;
> >
> >    bool syn_flood;
> >    struct fw3_limit syn_flood_rate;
> > --
> > 2.7.4
> >
> >
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel@lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>
Philip Prindeville July 3, 2018, 9:32 p.m. UTC | #3 
> On Jul 3, 2018, at 3:22 PM, Alin Năstac <alin.nastac@gmail.com> wrote:
> 
> On Tue, Jul 3, 2018 at 6:39 PM Philip Prindeville
> <philipp_subx@redfish-solutions.com> wrote:
>> 
>> Aren’t all inbound SYNs unsolicited by definition? Is there a danger of reflection attacks?
> 
> Not all inbound SYNs are unsolicited. Take for instance active mode
> FTP transfers where the client resides on the LAN . In this case the
> FTP data connection is initiated from the WAN, but it is solicited by
> the FTP control connection initiated from the LAN.
> 
> I don't think it matters that much what error code firewall returns
> for these unsolicited  inbound SYNs, but this RFC makes
> adm-prohibitited code a must.


I would have thought that dropping them would be better, since it avoids reflection attacks.

-Philip


> 
>> Sent from my iPhone
>>> On Jul 2, 2018, at 9:29 AM, Alin Nastac <alin.nastac@gmail.com> wrote:
>>> 
>>> From: Alin Nastac <alin.nastac@gmail.com>
>>> 
>>> RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
>>> unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
>>> code 1 (Communication with destination administratively prohibited).
>>> 
>>> Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
>>> ---
>>> defaults.c | 21 ++++++++++++++++-----
>>> options.h  |  2 ++
>>> 2 files changed, 18 insertions(+), 5 deletions(-)
>>> 
>>> diff --git a/defaults.c b/defaults.c
>>> index 11fbf0d..6565ca2 100644
>>> --- a/defaults.c
>>> +++ b/defaults.c
>>> @@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
>>>   FW3_OPT("output",              target,   defaults, policy_output),
>>> 
>>>   FW3_OPT("drop_invalid",        bool,     defaults, drop_invalid),
>>> +    FW3_OPT("tcp_reset_rejects",   bool,     defaults, tcp_reset_rejects),
>>> +    FW3_OPT("admin_prohib_rejects",bool,     defaults, admin_prohib_rejects),
>>> 
>>>   FW3_OPT("syn_flood",           bool,     defaults, syn_flood),
>>>   FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
>>> @@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
>>> 
>>>   defs->syn_flood_rate.rate  = 25;
>>>   defs->syn_flood_rate.burst = 50;
>>> +    defs->tcp_reset_rejects    = true;
>>>   defs->tcp_syncookies       = true;
>>>   defs->tcp_window_scaling   = true;
>>>   defs->custom_chains        = true;
>>> @@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
>>>           fw3_ipt_rule_append(r, "INPUT");
>>>       }
>>> 
>>> -        r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
>>> -        fw3_ipt_rule_target(r, "REJECT");
>>> -        fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
>>> -        fw3_ipt_rule_append(r, "reject");
>>> +        if (defs->tcp_reset_rejects)
>>> +        {
>>> +            r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
>>> +            fw3_ipt_rule_target(r, "REJECT");
>>> +            fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
>>> +            fw3_ipt_rule_append(r, "reject");
>>> +        }
>>> 
>>>       r = fw3_ipt_rule_new(handle);
>>>       fw3_ipt_rule_target(r, "REJECT");
>>> -        fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
>>> +        fw3_ipt_rule_addarg(r, false, "--reject-with",
>>> +            defs->admin_prohib_rejects ?
>>> +                (handle->family == FW3_FAMILY_V6 ?
>>> +                    "adm-prohibited" :
>>> +                    "admin-prohib") :
>>> +                "port-unreach");
>>>       fw3_ipt_rule_append(r, "reject");
>>> 
>>>       break;
>>> diff --git a/options.h b/options.h
>>> index 08fecf6..e3ba99c 100644
>>> --- a/options.h
>>> +++ b/options.h
>>> @@ -276,6 +276,8 @@ struct fw3_defaults
>>>   enum fw3_flag policy_forward;
>>> 
>>>   bool drop_invalid;
>>> +    bool tcp_reset_rejects;
>>> +    bool admin_prohib_rejects;
>>> 
>>>   bool syn_flood;
>>>   struct fw3_limit syn_flood_rate;
>>> --
>>> 2.7.4
>>> 
>>> 
>>> _______________________________________________
>>> openwrt-devel mailing list
>>> openwrt-devel@lists.openwrt.org
>>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>>
Alin Năstac July 4, 2018, 5:39 a.m. UTC | #4 
On Tue, Jul 3, 2018 at 11:32 PM Philip Prindeville
<philipp_subx@redfish-solutions.com> wrote:
> > On Jul 3, 2018, at 3:22 PM, Alin Năstac <alin.nastac@gmail.com> wrote:
> >
> > On Tue, Jul 3, 2018 at 6:39 PM Philip Prindeville
> > <philipp_subx@redfish-solutions.com> wrote:
> >>
> >> Aren’t all inbound SYNs unsolicited by definition? Is there a danger of reflection attacks?
> >
> > Not all inbound SYNs are unsolicited. Take for instance active mode
> > FTP transfers where the client resides on the LAN . In this case the
> > FTP data connection is initiated from the WAN, but it is solicited by
> > the FTP control connection initiated from the LAN.
> >
> > I don't think it matters that much what error code firewall returns
> > for these unsolicited  inbound SYNs, but this RFC makes
> > adm-prohibitited code a must.
>
> I would have thought that dropping them would be better, since it avoids reflection attacks.

Whether you want to silently drop or reject unauthorized connection
attempts is a matter of local policy.

Besides, in order for a reflection attack against your LAN to succeed,
the source IP address of rejected packets must be part of the LAN
prefix. This can be easily prevented, either by enabling rpfilter or
just by adding a firewall rule when the LAN prefix is statically
allocated (the usual IPv4 case).

> >>> On Jul 2, 2018, at 9:29 AM, Alin Nastac <alin.nastac@gmail.com> wrote:
> >>>
> >>> From: Alin Nastac <alin.nastac@gmail.com>
> >>>
> >>> RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
> >>> unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
> >>> code 1 (Communication with destination administratively prohibited).
> >>>
> >>> Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
> >>> ---
> >>> defaults.c | 21 ++++++++++++++++-----
> >>> options.h  |  2 ++
> >>> 2 files changed, 18 insertions(+), 5 deletions(-)
> >>>
> >>> diff --git a/defaults.c b/defaults.c
> >>> index 11fbf0d..6565ca2 100644
> >>> --- a/defaults.c
> >>> +++ b/defaults.c
> >>> @@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
> >>>   FW3_OPT("output",              target,   defaults, policy_output),
> >>>
> >>>   FW3_OPT("drop_invalid",        bool,     defaults, drop_invalid),
> >>> +    FW3_OPT("tcp_reset_rejects",   bool,     defaults, tcp_reset_rejects),
> >>> +    FW3_OPT("admin_prohib_rejects",bool,     defaults, admin_prohib_rejects),
> >>>
> >>>   FW3_OPT("syn_flood",           bool,     defaults, syn_flood),
> >>>   FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
> >>> @@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
> >>>
> >>>   defs->syn_flood_rate.rate  = 25;
> >>>   defs->syn_flood_rate.burst = 50;
> >>> +    defs->tcp_reset_rejects    = true;
> >>>   defs->tcp_syncookies       = true;
> >>>   defs->tcp_window_scaling   = true;
> >>>   defs->custom_chains        = true;
> >>> @@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
> >>>           fw3_ipt_rule_append(r, "INPUT");
> >>>       }
> >>>
> >>> -        r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
> >>> -        fw3_ipt_rule_target(r, "REJECT");
> >>> -        fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
> >>> -        fw3_ipt_rule_append(r, "reject");
> >>> +        if (defs->tcp_reset_rejects)
> >>> +        {
> >>> +            r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
> >>> +            fw3_ipt_rule_target(r, "REJECT");
> >>> +            fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
> >>> +            fw3_ipt_rule_append(r, "reject");
> >>> +        }
> >>>
> >>>       r = fw3_ipt_rule_new(handle);
> >>>       fw3_ipt_rule_target(r, "REJECT");
> >>> -        fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
> >>> +        fw3_ipt_rule_addarg(r, false, "--reject-with",
> >>> +            defs->admin_prohib_rejects ?
> >>> +                (handle->family == FW3_FAMILY_V6 ?
> >>> +                    "adm-prohibited" :
> >>> +                    "admin-prohib") :
> >>> +                "port-unreach");
> >>>       fw3_ipt_rule_append(r, "reject");
> >>>
> >>>       break;
> >>> diff --git a/options.h b/options.h
> >>> index 08fecf6..e3ba99c 100644
> >>> --- a/options.h
> >>> +++ b/options.h
> >>> @@ -276,6 +276,8 @@ struct fw3_defaults
> >>>   enum fw3_flag policy_forward;
> >>>
> >>>   bool drop_invalid;
> >>> +    bool tcp_reset_rejects;
> >>> +    bool admin_prohib_rejects;
> >>>
> >>>   bool syn_flood;
> >>>   struct fw3_limit syn_flood_rate;
> >>> --
> >>> 2.7.4
> >>>
> >>>
> >>> _______________________________________________
> >>> openwrt-devel mailing list
> >>> openwrt-devel@lists.openwrt.org
> >>> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> >>
>
Eric Luehrsen July 4, 2018, 6:23 a.m. UTC | #5 
On 07/04/2018 01:39 AM, Alin Năstac wrote:
> On Tue, Jul 3, 2018 at 11:32 PM Philip Prindeville
> <philipp_subx@redfish-solutions.com> wrote:
>>> On Jul 3, 2018, at 3:22 PM, Alin Năstac <alin.nastac@gmail.com> wrote:
>>>
>>> On Tue, Jul 3, 2018 at 6:39 PM Philip Prindeville
>>> <philipp_subx@redfish-solutions.com> wrote:
>>>>
>>>> Aren’t all inbound SYNs unsolicited by definition? Is there a danger of reflection attacks?
>>>
>>> Not all inbound SYNs are unsolicited. Take for instance active mode
>>> FTP transfers where the client resides on the LAN . In this case the
>>> FTP data connection is initiated from the WAN, but it is solicited by
>>> the FTP control connection initiated from the LAN.
>>>
>>> I don't think it matters that much what error code firewall returns
>>> for these unsolicited  inbound SYNs, but this RFC makes
>>> adm-prohibitited code a must.
>>
>> I would have thought that dropping them would be better, since it avoids reflection attacks.
> 
> Whether you want to silently drop or reject unauthorized connection
> attempts is a matter of local policy.
> 
> Besides, in order for a reflection attack against your LAN to succeed,
> the source IP address of rejected packets must be part of the LAN
> prefix. This can be easily prevented, either by enabling rpfilter or
> just by adding a firewall rule when the LAN prefix is statically
> allocated (the usual IPv4 case).
> 
>>>>> On Jul 2, 2018, at 9:29 AM, Alin Nastac <alin.nastac@gmail.com> wrote:
>>>>>
>>>>> From: Alin Nastac <alin.nastac@gmail.com>
>>>>>
>>>>> RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
>>>>> unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
>>>>> code 1 (Communication with destination administratively prohibited).
>>>>>
>>>>> Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
>>>>> ---
>>>>> defaults.c | 21 ++++++++++++++++-----
>>>>> options.h  |  2 ++
>>>>> 2 files changed, 18 insertions(+), 5 deletions(-)
>>>>>
>>>>> diff --git a/defaults.c b/defaults.c
>>>>> index 11fbf0d..6565ca2 100644
>>>>> --- a/defaults.c
>>>>> +++ b/defaults.c
>>>>> @@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
>>>>>    FW3_OPT("output",              target,   defaults, policy_output),
>>>>>
>>>>>    FW3_OPT("drop_invalid",        bool,     defaults, drop_invalid),
>>>>> +    FW3_OPT("tcp_reset_rejects",   bool,     defaults, tcp_reset_rejects),
>>>>> +    FW3_OPT("admin_prohib_rejects",bool,     defaults, admin_prohib_rejects),
>>>>>
>>>>>    FW3_OPT("syn_flood",           bool,     defaults, syn_flood),
>>>>>    FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
>>>>> @@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
>>>>>
>>>>>    defs->syn_flood_rate.rate  = 25;
>>>>>    defs->syn_flood_rate.burst = 50;
>>>>> +    defs->tcp_reset_rejects    = true;
>>>>>    defs->tcp_syncookies       = true;
>>>>>    defs->tcp_window_scaling   = true;
>>>>>    defs->custom_chains        = true;
>>>>> @@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
>>>>>            fw3_ipt_rule_append(r, "INPUT");
>>>>>        }
>>>>>
>>>>> -        r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
>>>>> -        fw3_ipt_rule_target(r, "REJECT");
>>>>> -        fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
>>>>> -        fw3_ipt_rule_append(r, "reject");
>>>>> +        if (defs->tcp_reset_rejects)
>>>>> +        {
>>>>> +            r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
>>>>> +            fw3_ipt_rule_target(r, "REJECT");
>>>>> +            fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
>>>>> +            fw3_ipt_rule_append(r, "reject");
>>>>> +        }
>>>>>
>>>>>        r = fw3_ipt_rule_new(handle);
>>>>>        fw3_ipt_rule_target(r, "REJECT");
>>>>> -        fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
>>>>> +        fw3_ipt_rule_addarg(r, false, "--reject-with",
>>>>> +            defs->admin_prohib_rejects ?
>>>>> +                (handle->family == FW3_FAMILY_V6 ?
>>>>> +                    "adm-prohibited" :
>>>>> +                    "admin-prohib") :
>>>>> +                "port-unreach");
>>>>>        fw3_ipt_rule_append(r, "reject");
>>>>>
>>>>>        break;
>>>>> diff --git a/options.h b/options.h
>>>>> index 08fecf6..e3ba99c 100644
>>>>> --- a/options.h
>>>>> +++ b/options.h
>>>>> @@ -276,6 +276,8 @@ struct fw3_defaults
>>>>>    enum fw3_flag policy_forward;
>>>>>
>>>>>    bool drop_invalid;
>>>>> +    bool tcp_reset_rejects;
>>>>> +    bool admin_prohib_rejects;
>>>>>
>>>>>    bool syn_flood;
>>>>>    struct fw3_limit syn_flood_rate;
>>>>> --
>>>>> 2.7.4

This could spawn a side topic: for all firewall block types would it be 
useful to have a two tier response that is easily configurable for each 
rule or as a global default. That is _overt_ rejection on the first 
counter per time, and then _covert_ drop after that for maybe 4x cool 
off period. An honest address (DNS zone update) error would quickly 
resolve itself while failing connections properly rather than longer 
time outs. An attack flood would not generate amplified noise.
diff mbox series

Patch

diff --git a/defaults.c b/defaults.c
index 11fbf0d..6565ca2 100644
--- a/defaults.c
+++ b/defaults.c
@@ -41,6 +41,8 @@  const struct fw3_option fw3_flag_opts[] = {
 	FW3_OPT("output",              target,   defaults, policy_output),
 
 	FW3_OPT("drop_invalid",        bool,     defaults, drop_invalid),
+	FW3_OPT("tcp_reset_rejects",   bool,     defaults, tcp_reset_rejects),
+	FW3_OPT("admin_prohib_rejects",bool,     defaults, admin_prohib_rejects),
 
 	FW3_OPT("syn_flood",           bool,     defaults, syn_flood),
 	FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
@@ -113,6 +115,7 @@  fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
 
 	defs->syn_flood_rate.rate  = 25;
 	defs->syn_flood_rate.burst = 50;
+	defs->tcp_reset_rejects    = true;
 	defs->tcp_syncookies       = true;
 	defs->tcp_window_scaling   = true;
 	defs->custom_chains        = true;
@@ -276,14 +279,22 @@  fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
 			fw3_ipt_rule_append(r, "INPUT");
 		}
 
-		r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
-		fw3_ipt_rule_target(r, "REJECT");
-		fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
-		fw3_ipt_rule_append(r, "reject");
+		if (defs->tcp_reset_rejects)
+		{
+			r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
+			fw3_ipt_rule_target(r, "REJECT");
+			fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
+			fw3_ipt_rule_append(r, "reject");
+		}
 
 		r = fw3_ipt_rule_new(handle);
 		fw3_ipt_rule_target(r, "REJECT");
-		fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
+		fw3_ipt_rule_addarg(r, false, "--reject-with",
+			defs->admin_prohib_rejects ?
+				(handle->family == FW3_FAMILY_V6 ?
+					"adm-prohibited" :
+					"admin-prohib") :
+				"port-unreach");
 		fw3_ipt_rule_append(r, "reject");
 
 		break;
diff --git a/options.h b/options.h
index 08fecf6..e3ba99c 100644
--- a/options.h
+++ b/options.h
@@ -276,6 +276,8 @@  struct fw3_defaults
 	enum fw3_flag policy_forward;
 
 	bool drop_invalid;
+	bool tcp_reset_rejects;
+	bool admin_prohib_rejects;
 
 	bool syn_flood;
 	struct fw3_limit syn_flood_rate;