From patchwork Thu Apr 18 21:11:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 7740 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4VL9T25sTJz3wyN for ; Thu, 18 Apr 2024 21:12:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sy1y6Pz4X5; Thu, 18 Apr 2024 21:12:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4VL9Sx3Mhcz32rB; Thu, 18 Apr 2024 21:12:01 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4VL9Sm3j1Tz32qr for ; Thu, 18 Apr 2024 21:11:52 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sm0PtQz2rM; Thu, 18 Apr 2024 21:11:52 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4VL9Sl41PBzTkDk; Thu, 18 Apr 2024 21:11:51 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 5/6] firewall: Implement generating SYNPROXY rules Date: Thu, 18 Apr 2024 21:11:43 +0000 Message-Id: <20240418211144.3318938-5-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240418211144.3318938-1-michael.tremer@ipfire.org> References: <20240418211144.3318938-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: LLMZC472I3FCAOMWWANWLQJV7SIAINU7 X-Message-ID-Hash: LLMZC472I3FCAOMWWANWLQJV7SIAINU7 X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- config/firewall/rules.pl | 12 ++++++++++++ src/initscripts/system/firewall | 4 ++++ 2 files changed, 16 insertions(+) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index a47c260a1..e38f77242 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -297,6 +297,9 @@ sub buildrules { $NAT_MODE = uc($$hash{$key}[31]); } + # Enable SYN flood protection? + my $SYN_FLOOD_PROTECTION = 0; + # Set up time constraints. my @time_options = (); if ($$hash{$key}[18] eq 'ON') { @@ -370,6 +373,11 @@ sub buildrules { } } + # DoS Protection + if (($elements ge 38) && ($$hash{$key}[37] eq "ON")) { + $SYN_FLOOD_PROTECTION = 1; + } + # Check which protocols are used in this rule and so that we can # later group rules by protocols. my @protocols = &get_protocols($hash, $key); @@ -608,6 +616,10 @@ sub buildrules { } run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target"); + if ($SYN_FLOOD_PROTECTION && ($protocol eq "tcp")) { + run("$IPTABLES -t raw -A SYN_FLOOD_PROTECT @options -j CT --notrack"); + } + # Handle forwarding rules and add corresponding rules for firewall access. if ($chain eq $CHAIN_FORWARD) { # If the firewall is part of the destination subnet and access to the destination network diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 1250b9ff4..6727e4a20 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -407,6 +407,10 @@ iptables_init() { iptables -t nat -N REDNAT iptables -t nat -A POSTROUTING -j REDNAT + # SYN Flood Protection + iptables -t raw -N SYN_FLOOD_PROTECT + iptables -t raw -A PREROUTING -p tcp --syn -j SYN_FLOOD_PROTECT + # Populate IPsec chains /usr/lib/firewall/ipsec-policy