From patchwork Tue Jul 30 06:00:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2355 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 7C51E8804A5 for ; Mon, 29 Jul 2019 21:00:27 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 45y9XT56WXz5PZw8; Mon, 29 Jul 2019 21:00:25 +0100 (BST) Received: from [127.0.0.1] (tor-exit-2.zbau.f3netze.de [185.220.100.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 45y9XN5T7sz5MJWJ for ; Mon, 29 Jul 2019 21:00:20 +0100 (BST) Subject: [PATCH] firewall: raise log rate limit to 10 packets per second To: "IPFire: Development-List" References: From: =?utf-8?q?Peter_M=C3=BCller?= Organization: IPFire.org Message-ID: <9c3ea98b-5c45-425b-f3ce-b847bafa51c6@ipfire.org> Date: Mon, 29 Jul 2019 20:00:00 +0000 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Previous setting was to log 10 packets per minute for each event logging is turned on. This made debugging much harder, as the limit was rather strict and chances of dropping a packet without logging it were good. This patch changes the log rate limit to 10 packets per second per event, to avoid DoS attacks against the log file. I plan to drop log rate limit entirely in future changes, if a better solution for this attack vector is available. Signed-off-by: Peter Müller Cc: Tim FitzGeorge Cc: Michael Tremer --- config/rootfiles/core/135/filelists/files | 1 + src/initscripts/system/firewall | 14 +++++++------- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/config/rootfiles/core/135/filelists/files b/config/rootfiles/core/135/filelists/files index d8df9f65b..e5943ddc0 100644 --- a/config/rootfiles/core/135/filelists/files +++ b/config/rootfiles/core/135/filelists/files @@ -5,6 +5,7 @@ var/ipfire/langs etc/unbound/root.hints etc/rc.d/helper/azure-setup etc/rc.d/init.d/cloud-init +etc/rc.d/init.d/firewall etc/rc.d/init.d/functions etc/rc.d/init.d/networking/red.down/05-remove-dns-forwarders etc/rc.d/init.d/partresize diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index b3483a744..ec396c708 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -34,20 +34,20 @@ iptables_init() { # Empty LOG_DROP and LOG_REJECT chains iptables -N LOG_DROP - iptables -A LOG_DROP -m limit --limit 10/minute -j LOG + iptables -A LOG_DROP -m limit --limit 10/second -j LOG iptables -A LOG_DROP -j DROP iptables -N LOG_REJECT - iptables -A LOG_REJECT -m limit --limit 10/minute -j LOG + iptables -A LOG_REJECT -m limit --limit 10/second -j LOG iptables -A LOG_REJECT -j REJECT # This chain will log, then DROPs packets with certain bad combinations # of flags might indicate a port-scan attempt (xmas, null, etc) iptables -N PSCAN if [ "$DROPPORTSCAN" == "on" ]; then - iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" - iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" - iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" - iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" + iptables -A PSCAN -p tcp -m limit --limit 10/second -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" + iptables -A PSCAN -p udp -m limit --limit 10/second -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" + iptables -A PSCAN -p icmp -m limit --limit 10/second -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" + iptables -A PSCAN -f -m limit --limit 10/second -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" fi iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan" @@ -55,7 +55,7 @@ iptables_init() { # that's not covered above, may just be a broken windows machine iptables -N NEWNOTSYN if [ "$DROPNEWNOTSYN" == "on" ]; then - iptables -A NEWNOTSYN -m limit --limit 10/minute -j LOG --log-prefix "DROP_NEWNOTSYN " + iptables -A NEWNOTSYN -m limit --limit 10/second -j LOG --log-prefix "DROP_NEWNOTSYN " fi iptables -A NEWNOTSYN -j DROP -m comment --comment "DROP_NEWNOTSYN"