From patchwork Thu Apr 18 21:11:41 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 7735
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4VL9Sx5zg7z3wkf
	for <patchwork@web04.haj.ipfire.org>; Thu, 18 Apr 2024 21:12:01 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sp42hGz2vJ;
	Thu, 18 Apr 2024 21:11:54 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4VL9Sp2zCvz32rB;
	Thu, 18 Apr 2024 21:11:54 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4VL9Sm0z6Bz30CT
	for <development@lists.ipfire.org>; Thu, 18 Apr 2024 21:11:52 +0000 (UTC)
Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sl65GYz2Rp;
	Thu, 18 Apr 2024 21:11:51 +0000 (UTC)
Received: by michael.haj.ipfire.org (Postfix, from userid 0)
	id 4VL9Sl3lN1zTjM7; Thu, 18 Apr 2024 21:11:51 +0000 (UTC)
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 3/6] firewall: Enable SYNPROXY for untracked packets
Date: Thu, 18 Apr 2024 21:11:41 +0000
Message-Id: <20240418211144.3318938-3-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20240418211144.3318938-1-michael.tremer@ipfire.org>
References: <20240418211144.3318938-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Message-ID-Hash: XJ6ZKUE3AZTAZIZS6UVM2VZCYBOVHQLM
X-Message-ID-Hash: XJ6ZKUE3AZTAZIZS6UVM2VZCYBOVHQLM
X-MailFrom: root@michael.haj.ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Michael Tremer <michael.tremer@ipfire.org>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/XJ6ZKUE3AZTAZIZS6UVM2VZCYBOVHQLM/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

This enables some DoS protection using SYNPROXY which will complete a
SYN handshake with the client before the connection is being forwarded.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/firewall | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 054d58c01..1250b9ff4 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -46,6 +46,20 @@ IPS_BYPASS_MASK="0x40000000"
 
 IPSET_DB_DIR="/var/lib/location/ipset"
 
+SYNPROXY_OPTIONS=(
+	# Allow clients to use Selective ACKs
+	"--sack-perm"
+
+	# Allow TCP Timestamps
+	#"--timestamp"
+
+	# Window Scaling
+	"--wscale" "9"
+
+	# Maximum Segment Size
+	"--mss" "1460"
+)
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -151,6 +165,8 @@ iptables_init() {
 
 	iptables -N CTINPUT
 	iptables -A CTINPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+	iptables -A CTINPUT -m conntrack --ctstate INVALID,UNTRACKED \
+		-p tcp -j SYNPROXY "${SYNPROXY_OPTIONS[@]}"
 	iptables -A CTINPUT -m conntrack --ctstate INVALID -j CTINVALID
 	iptables -A CTINPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT