From patchwork Thu Apr 18 21:11:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 7737 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4VL9T06ZZMz3wyD for ; Thu, 18 Apr 2024 21:12:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sr6hS3z2VW; Thu, 18 Apr 2024 21:11:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4VL9Sr5rwSz32qT; Thu, 18 Apr 2024 21:11:56 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4VL9Sm1snMz30CT for ; Thu, 18 Apr 2024 21:11:52 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sl4NnBzd9; Thu, 18 Apr 2024 21:11:51 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4VL9Sl3V9MzTh7D; Thu, 18 Apr 2024 21:11:51 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/6] firewall: Split CONNTRACK chain Date: Thu, 18 Apr 2024 21:11:39 +0000 Message-Id: <20240418211144.3318938-1-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Message-ID-Hash: 5PUYYFTQBIOIRGIIV55PYSA5LJ5S3OVP X-Message-ID-Hash: 5PUYYFTQBIOIRGIIV55PYSA5LJ5S3OVP X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This is preparation to handle incoming/outgoing packets differently. Signed-off-by: Michael Tremer --- src/initscripts/system/firewall | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 69bdcb594..d14466ef0 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -149,10 +149,15 @@ iptables_init() { fi iptables -A CTINVALID -j DROP -m comment --comment "DROP_CTINVALID" - iptables -N CONNTRACK - iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT - iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID - iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT + iptables -N CTINPUT + iptables -A CTINPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + iptables -A CTINPUT -m conntrack --ctstate INVALID -j CTINVALID + iptables -A CTINPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT + + iptables -N CTOUTPUT + iptables -A CTOUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + iptables -A CTOUTPUT -m conntrack --ctstate INVALID -j CTINVALID + iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT # Restore any connection marks iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark @@ -261,9 +266,9 @@ iptables_init() { done # Accept everything connected - for i in INPUT FORWARD OUTPUT; do - iptables -A ${i} -j CONNTRACK - done + iptables -A INPUT -j CTINPUT + iptables -A FORWARD -j CTINPUT + iptables -A OUTPUT -j CTOUTPUT # Allow DHCP iptables -N DHCPINPUT From patchwork Thu Apr 18 21:11:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 7736 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4VL9T01pMGz3wkf for ; Thu, 18 Apr 2024 21:12:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sp6kRGz4Sf; Thu, 18 Apr 2024 21:11:54 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4VL9Sp4LxZz32rH; Thu, 18 Apr 2024 21:11:54 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4VL9Sm1PxTz30CT for ; Thu, 18 Apr 2024 21:11:52 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sl4xlrz15d; Thu, 18 Apr 2024 21:11:51 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4VL9Sl3c6LzTgNC; Thu, 18 Apr 2024 21:11:51 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/6] firewall: Don't filter output INVALID packets Date: Thu, 18 Apr 2024 21:11:40 +0000 Message-Id: <20240418211144.3318938-2-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240418211144.3318938-1-michael.tremer@ipfire.org> References: <20240418211144.3318938-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: D6PKZHH7KVCMKEPBH4SVHEAET2QYCA5B X-Message-ID-Hash: D6PKZHH7KVCMKEPBH4SVHEAET2QYCA5B X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This should never cause any problems, but will cause that certain more complicated featured like SYNPROXY won't work. Signed-off-by: Michael Tremer --- src/initscripts/system/firewall | 1 - 1 file changed, 1 deletion(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index d14466ef0..054d58c01 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -156,7 +156,6 @@ iptables_init() { iptables -N CTOUTPUT iptables -A CTOUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT - iptables -A CTOUTPUT -m conntrack --ctstate INVALID -j CTINVALID iptables -A CTOUTPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT # Restore any connection marks From patchwork Thu Apr 18 21:11:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 7735 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4VL9Sx5zg7z3wkf for ; Thu, 18 Apr 2024 21:12:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sp42hGz2vJ; Thu, 18 Apr 2024 21:11:54 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4VL9Sp2zCvz32rB; Thu, 18 Apr 2024 21:11:54 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4VL9Sm0z6Bz30CT for ; Thu, 18 Apr 2024 21:11:52 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sl65GYz2Rp; Thu, 18 Apr 2024 21:11:51 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4VL9Sl3lN1zTjM7; Thu, 18 Apr 2024 21:11:51 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 3/6] firewall: Enable SYNPROXY for untracked packets Date: Thu, 18 Apr 2024 21:11:41 +0000 Message-Id: <20240418211144.3318938-3-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240418211144.3318938-1-michael.tremer@ipfire.org> References: <20240418211144.3318938-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: XJ6ZKUE3AZTAZIZS6UVM2VZCYBOVHQLM X-Message-ID-Hash: XJ6ZKUE3AZTAZIZS6UVM2VZCYBOVHQLM X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This enables some DoS protection using SYNPROXY which will complete a SYN handshake with the client before the connection is being forwarded. Signed-off-by: Michael Tremer --- src/initscripts/system/firewall | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 054d58c01..1250b9ff4 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -46,6 +46,20 @@ IPS_BYPASS_MASK="0x40000000" IPSET_DB_DIR="/var/lib/location/ipset" +SYNPROXY_OPTIONS=( + # Allow clients to use Selective ACKs + "--sack-perm" + + # Allow TCP Timestamps + #"--timestamp" + + # Window Scaling + "--wscale" "9" + + # Maximum Segment Size + "--mss" "1460" +) + function iptables() { /sbin/iptables --wait "$@" } @@ -151,6 +165,8 @@ iptables_init() { iptables -N CTINPUT iptables -A CTINPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + iptables -A CTINPUT -m conntrack --ctstate INVALID,UNTRACKED \ + -p tcp -j SYNPROXY "${SYNPROXY_OPTIONS[@]}" iptables -A CTINPUT -m conntrack --ctstate INVALID -j CTINVALID iptables -A CTINPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT From patchwork Thu Apr 18 21:11:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 7738 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4VL9T22fXnz3wkf for ; Thu, 18 Apr 2024 21:12:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sx5hZkz4Wy; Thu, 18 Apr 2024 21:12:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4VL9Sx0pXrz32qq; Thu, 18 Apr 2024 21:12:01 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4VL9Sm290Mz30CT for ; Thu, 18 Apr 2024 21:11:52 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sl6sGWz2ZW; Thu, 18 Apr 2024 21:11:51 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4VL9Sl3tsNzTjXV; Thu, 18 Apr 2024 21:11:51 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 4/6] firewall.cgi: Add a checkbox to enable SYN flood protection Date: Thu, 18 Apr 2024 21:11:42 +0000 Message-Id: <20240418211144.3318938-4-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240418211144.3318938-1-michael.tremer@ipfire.org> References: <20240418211144.3318938-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: PCIFJCGRKKRIWNT33ANTGYZTN3LDGKF4 X-Message-ID-Hash: PCIFJCGRKKRIWNT33ANTGYZTN3LDGKF4 X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 8 ++++++++ html/cgi-bin/firewall.cgi | 14 ++++++++++++-- langs/en/cgi-bin/en.pl | 1 + 12 files changed, 30 insertions(+), 2 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index 1ba77c94d..79b21fe24 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -894,6 +894,7 @@ WARNING: untranslated string: enable disable client = unknown string WARNING: untranslated string: enable disable dyndns = unknown string WARNING: untranslated string: error message = unknown string WARNING: untranslated string: error the to date has to be later than the from date = The to date has to be later than the from date! +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: guardian block a host = unknown string diff --git a/doc/language_issues.en b/doc/language_issues.en index 84bc8cdb0..2541ccf88 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -890,6 +890,7 @@ WARNING: untranslated string: fwdfw rulepos = Rule position WARNING: untranslated string: fwdfw snat = Source NAT WARNING: untranslated string: fwdfw source = Source WARNING: untranslated string: fwdfw sourceip = Source address (MAC/IP address or network): +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwdfw target = Destination WARNING: untranslated string: fwdfw targetip = Destination address (IP address or network): WARNING: untranslated string: fwdfw timeframe = Use time constraints diff --git a/doc/language_issues.es b/doc/language_issues.es index 25ef7f9c5..4949d9335 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -958,6 +958,7 @@ WARNING: untranslated string: extrahd mounted = Mounted WARNING: untranslated string: extrahd no mount point given = No mount point given WARNING: untranslated string: extrahd not configured = Not configured WARNING: untranslated string: extrahd not mounted = Not mounted +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: guardian block a host = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 7aafc3053..fb29de25c 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -912,6 +912,7 @@ WARNING: untranslated string: enable disable client = unknown string WARNING: untranslated string: enable disable dyndns = unknown string WARNING: untranslated string: error message = unknown string WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: guardian block a host = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 7498e2af1..680cc5f4e 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1029,6 +1029,7 @@ WARNING: untranslated string: fwdfw limitconcon = Limit concurrent connections p WARNING: untranslated string: fwdfw maxconcon = Max. concurrent connections WARNING: untranslated string: fwdfw numcon = Number of connections WARNING: untranslated string: fwdfw ratelimit = Rate-limit new connections +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost addlocationgrp = Add new Location group WARNING: untranslated string: fwhost cust location = Location Groups WARNING: untranslated string: fwhost cust locationgroup = Location Groups diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 16e69bf27..de9dc112a 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1035,6 +1035,7 @@ WARNING: untranslated string: fwdfw limitconcon = Limit concurrent connections p WARNING: untranslated string: fwdfw maxconcon = Max. concurrent connections WARNING: untranslated string: fwdfw numcon = Number of connections WARNING: untranslated string: fwdfw ratelimit = Rate-limit new connections +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost addlocationgrp = Add new Location group WARNING: untranslated string: fwhost cust location = Location Groups WARNING: untranslated string: fwhost cust locationgroup = Location Groups diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 31c64c164..d52c29f6b 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1093,6 +1093,7 @@ WARNING: untranslated string: fwdfw rulepos = Rule position WARNING: untranslated string: fwdfw snat = Source NAT WARNING: untranslated string: fwdfw source = Source WARNING: untranslated string: fwdfw sourceip = Source address (MAC/IP address or network): +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwdfw target = Destination WARNING: untranslated string: fwdfw targetip = Destination address (IP address or network): WARNING: untranslated string: fwdfw timeframe = Use time constraints diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 9495d951e..3436c4a6e 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1090,6 +1090,7 @@ WARNING: untranslated string: fwdfw rulepos = Rule position WARNING: untranslated string: fwdfw snat = Source NAT WARNING: untranslated string: fwdfw source = Source WARNING: untranslated string: fwdfw sourceip = Source address (MAC/IP address or network): +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwdfw target = Destination WARNING: untranslated string: fwdfw targetip = Destination address (IP address or network): WARNING: untranslated string: fwdfw timeframe = Use time constraints diff --git a/doc/language_issues.tr b/doc/language_issues.tr index a2c134a2a..ca57075b1 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -977,6 +977,7 @@ WARNING: untranslated string: force enable = Forced WARNING: untranslated string: foreshadow = Foreshadow WARNING: untranslated string: fw red = Firewall options for RED interface WARNING: untranslated string: fwdfw all subnets = All subnets +WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: generate ptr = Generate PTR diff --git a/doc/language_missings b/doc/language_missings index 44d79f352..a214b8f9a 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -56,6 +56,7 @@ < enable < error the to date has to be later than the from date < extrahd because it it outside the allowed mount path +< fwdfw syn flood protection < g.dtm < g.lite < hostile networks in @@ -120,6 +121,7 @@ < extrahd no mount point given < extrahd not configured < extrahd not mounted +< fwdfw syn flood protection < hardware vulnerabilities < hostile networks in < hostile networks out @@ -148,6 +150,7 @@ < bewan adsl pci st < bewan adsl usb < extrahd because it it outside the allowed mount path +< fwdfw syn flood protection < g.dtm < g.lite < hostile networks total @@ -365,6 +368,7 @@ < fwdfw maxconcon < fwdfw numcon < fwdfw ratelimit +< fwdfw syn flood protection < fwhost addlocationgrp < fwhost cust location < fwhost cust locationgroup @@ -894,6 +898,7 @@ < fwdfw maxconcon < fwdfw numcon < fwdfw ratelimit +< fwdfw syn flood protection < fwhost addlocationgrp < fwhost cust location < fwhost cust locationgroup @@ -1613,6 +1618,7 @@ < fwdfw source < fwdfw sourceip < fwdfw std network +< fwdfw syn flood protection < fwdfw target < fwdfw targetip < fwdfw till @@ -2613,6 +2619,7 @@ < fwdfw source < fwdfw sourceip < fwdfw std network +< fwdfw syn flood protection < fwdfw target < fwdfw targetip < fwdfw till @@ -3327,6 +3334,7 @@ < force enable < foreshadow < fwdfw all subnets +< fwdfw syn flood protection < fw red < generate ptr < hardware vulnerabilities diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 681d42770..226d00838 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -301,8 +301,8 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') #check if we have an identical rule already if($fwdfwsettings{'oldrulenumber'} eq $fwdfwsettings{'rulepos'}){ foreach my $key (sort keys %rulehash){ - if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'}" - eq "$rulehash{$key}[0],$rulehash{$key}[2],$rulehash{$key}[3],$rulehash{$key}[4],$rulehash{$key}[5],$rulehash{$key}[6],$rulehash{$key}[7],$rulehash{$key}[8],$rulehash{$key}[9],$rulehash{$key}[10],$rulehash{$key}[11],$rulehash{$key}[12],$rulehash{$key}[13],$rulehash{$key}[14],$rulehash{$key}[15],$rulehash{$key}[16],$rulehash{$key}[17],$rulehash{$key}[18],$rulehash{$key}[19],$rulehash{$key}[20],$rulehash{$key}[21],$rulehash{$key}[22],$rulehash{$key}[23],$rulehash{$key}[24],$rulehash{$key}[25],$rulehash{$key}[26],$rulehash{$key}[27],$rulehash{$key}[28],$rulehash{$key}[29],$rulehash{$key}[30],$rulehash{$key}[31],$rulehash{$key}[32],$rulehash{$key}[33],$rulehash{$key}[34],$rulehash{$key}[35],$rulehash{$key}[36]"){ + if ( "$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'ruleremark'},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'},$fwdfwsettings{'USE_NAT'},$fwdfwsettings{$fwdfwsettings{'nat'}},$fwdfwsettings{'dnatport'},$fwdfwsettings{'nat'},$fwdfwsettings{'LIMIT_CON_CON'},$fwdfwsettings{'concon'},$fwdfwsettings{'RATE_LIMIT'},$fwdfwsettings{'ratecon'},$fwdfwsettings{'RATETIME'},$fwdfwsettings{'SYN_FLOOD_PROTECTION'}" + eq "$rulehash{$key}[0],$rulehash{$key}[2],$rulehash{$key}[3],$rulehash{$key}[4],$rulehash{$key}[5],$rulehash{$key}[6],$rulehash{$key}[7],$rulehash{$key}[8],$rulehash{$key}[9],$rulehash{$key}[10],$rulehash{$key}[11],$rulehash{$key}[12],$rulehash{$key}[13],$rulehash{$key}[14],$rulehash{$key}[15],$rulehash{$key}[16],$rulehash{$key}[17],$rulehash{$key}[18],$rulehash{$key}[19],$rulehash{$key}[20],$rulehash{$key}[21],$rulehash{$key}[22],$rulehash{$key}[23],$rulehash{$key}[24],$rulehash{$key}[25],$rulehash{$key}[26],$rulehash{$key}[27],$rulehash{$key}[28],$rulehash{$key}[29],$rulehash{$key}[30],$rulehash{$key}[31],$rulehash{$key}[32],$rulehash{$key}[33],$rulehash{$key}[34],$rulehash{$key}[35],$rulehash{$key}[36],$rulehash{$key}[37]"){ $errormessage.=$Lang::tr{'fwdfw err ruleexists'}; if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; @@ -1624,6 +1624,7 @@ sub newrule $fwdfwsettings{'RATE_LIMIT'} = $hash{$key}[34]; $fwdfwsettings{'ratecon'} = $hash{$key}[35]; $fwdfwsettings{'RATETIME'} = $hash{$key}[36]; + $fwdfwsettings{'SYN_FLOOD_PROTECTION'} = $hash{$key}[37]; $checked{'grp1'}{$fwdfwsettings{'grp1'}} = 'CHECKED'; $checked{'grp2'}{$fwdfwsettings{'grp2'}} = 'CHECKED'; $checked{'grp3'}{$fwdfwsettings{'grp3'}} = 'CHECKED'; @@ -1631,6 +1632,7 @@ sub newrule $checked{'USESRV'}{$fwdfwsettings{'USESRV'}} = 'CHECKED'; $checked{'ACTIVE'}{$fwdfwsettings{'ACTIVE'}} = 'CHECKED'; $checked{'LOG'}{$fwdfwsettings{'LOG'}} = 'CHECKED'; + $checked{'SYN_FLOOD_PROTECTION'}{$fwdfwsettings{'SYN_FLOOD_PROTECTION'}} = 'CHECKED'; $checked{'TIME'}{$fwdfwsettings{'TIME'}} = 'CHECKED'; $checked{'TIME_MON'}{$fwdfwsettings{'TIME_MON'}} = 'CHECKED'; $checked{'TIME_TUE'}{$fwdfwsettings{'TIME_TUE'}} = 'CHECKED'; @@ -2070,6 +2072,12 @@ END $Lang::tr{'fwdfw log rule'} + + + + + $Lang::tr{'fwdfw syn flood protection'} + @@ -2341,6 +2349,7 @@ sub saverule $$hash{$key}[34] = $fwdfwsettings{'RATE_LIMIT'}; $$hash{$key}[35] = $fwdfwsettings{'ratecon'}; $$hash{$key}[36] = $fwdfwsettings{'RATETIME'}; + $$hash{$key}[37] = $fwdfwsettings{'SYN_FLOOD_PROTECTION'}; &General::writehasharray("$config", $hash); }else{ foreach my $key (sort {$a <=> $b} keys %$hash){ @@ -2382,6 +2391,7 @@ sub saverule $$hash{$key}[34] = $fwdfwsettings{'RATE_LIMIT'}; $$hash{$key}[35] = $fwdfwsettings{'ratecon'}; $$hash{$key}[36] = $fwdfwsettings{'RATETIME'}; + $$hash{$key}[37] = $fwdfwsettings{'SYN_FLOOD_PROTECTION'}; last; } } diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index ee3a6c5aa..6e3a01555 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1246,6 +1246,7 @@ 'fwdfw source' => 'Source', 'fwdfw sourceip' => 'Source address (MAC/IP address or network):', 'fwdfw std network' => 'Standard networks:', +'fwdfw syn flood protection' => 'Enable SYN Flood Protection (TCP only)', 'fwdfw target' => 'Destination', 'fwdfw targetip' => 'Destination address (IP address or network):', 'fwdfw till' => 'Until:', From patchwork Thu Apr 18 21:11:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 7740 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4VL9T25sTJz3wyN for ; Thu, 18 Apr 2024 21:12:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sy1y6Pz4X5; Thu, 18 Apr 2024 21:12:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4VL9Sx3Mhcz32rB; Thu, 18 Apr 2024 21:12:01 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4VL9Sm3j1Tz32qr for ; Thu, 18 Apr 2024 21:11:52 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sm0PtQz2rM; Thu, 18 Apr 2024 21:11:52 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4VL9Sl41PBzTkDk; Thu, 18 Apr 2024 21:11:51 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 5/6] firewall: Implement generating SYNPROXY rules Date: Thu, 18 Apr 2024 21:11:43 +0000 Message-Id: <20240418211144.3318938-5-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240418211144.3318938-1-michael.tremer@ipfire.org> References: <20240418211144.3318938-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: LLMZC472I3FCAOMWWANWLQJV7SIAINU7 X-Message-ID-Hash: LLMZC472I3FCAOMWWANWLQJV7SIAINU7 X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- config/firewall/rules.pl | 12 ++++++++++++ src/initscripts/system/firewall | 4 ++++ 2 files changed, 16 insertions(+) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index a47c260a1..e38f77242 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -297,6 +297,9 @@ sub buildrules { $NAT_MODE = uc($$hash{$key}[31]); } + # Enable SYN flood protection? + my $SYN_FLOOD_PROTECTION = 0; + # Set up time constraints. my @time_options = (); if ($$hash{$key}[18] eq 'ON') { @@ -370,6 +373,11 @@ sub buildrules { } } + # DoS Protection + if (($elements ge 38) && ($$hash{$key}[37] eq "ON")) { + $SYN_FLOOD_PROTECTION = 1; + } + # Check which protocols are used in this rule and so that we can # later group rules by protocols. my @protocols = &get_protocols($hash, $key); @@ -608,6 +616,10 @@ sub buildrules { } run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target"); + if ($SYN_FLOOD_PROTECTION && ($protocol eq "tcp")) { + run("$IPTABLES -t raw -A SYN_FLOOD_PROTECT @options -j CT --notrack"); + } + # Handle forwarding rules and add corresponding rules for firewall access. if ($chain eq $CHAIN_FORWARD) { # If the firewall is part of the destination subnet and access to the destination network diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 1250b9ff4..6727e4a20 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -407,6 +407,10 @@ iptables_init() { iptables -t nat -N REDNAT iptables -t nat -A POSTROUTING -j REDNAT + # SYN Flood Protection + iptables -t raw -N SYN_FLOOD_PROTECT + iptables -t raw -A PREROUTING -p tcp --syn -j SYN_FLOOD_PROTECT + # Populate IPsec chains /usr/lib/firewall/ipsec-policy From patchwork Thu Apr 18 21:11:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 7739 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4VL9T24dt1z3wyD for ; Thu, 18 Apr 2024 21:12:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sy1xBGz3vZ; Thu, 18 Apr 2024 21:12:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4VL9Sx27RFz32r4; Thu, 18 Apr 2024 21:12:01 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4VL9Sm3dd5z30CT for ; Thu, 18 Apr 2024 21:11:52 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4VL9Sm0bj4z2rc; Thu, 18 Apr 2024 21:11:52 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4VL9Sl47tKzTkg9; Thu, 18 Apr 2024 21:11:51 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 6/6] sysctl: Conntrack: Disable picking up loose TCP connections Date: Thu, 18 Apr 2024 21:11:44 +0000 Message-Id: <20240418211144.3318938-6-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240418211144.3318938-1-michael.tremer@ipfire.org> References: <20240418211144.3318938-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: ZBGJOVPBQZGD23XMPVPUVQNQD5CMJ5Z4 X-Message-ID-Hash: ZBGJOVPBQZGD23XMPVPUVQNQD5CMJ5Z4 X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Michael Tremer --- config/etc/sysctl.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 31a220e38..e35ee0dc4 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -35,6 +35,9 @@ net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 +# Do not try to pick up existing TCP connections in conntrack +net.netfilter.nf_conntrack_tcp_loose = 0 + # Enable netfilter accounting net.netfilter.nf_conntrack_acct = 1