[OpenWrt-Devel] [PATCH] firewall: default firewall rules tweak

Mon, 09 Apr 2012 03:05:59 -0700 

This change try to harden the security of default firewall rules
1. Following "deny by default" principle, change the default section policy to DROP. The firewall package already add rules to allow all lo traffic, there should be no impact to user. 
2. harden the allow dhcp renew rule, source port should always be 67
3. Refer to rfc4890 ICMPv6 Filtering Recommendations, Appendix B. (http://www.ietf.org/rfc/rfc4890.txt) The sample ICMPv6 filter rules indicates ip6tables can keep track most icmpv6 traffic as "RELATED". The icmpv6 filter can be hardened. 4. Allow most icmpv6 neighbour discovery traffic as kernel will enforce "hop-limit=255" rule (packet is not forwarded) 5. remove limit 1000 to avoid possible denial of service (attacker can stop all ICMP traffic by sending more than 1000 ICMP packet/s) 

Signed-off-by: ching <[email protected]>

1 files changed

Index: trunk/package/firewall/files/firewall.config
===================================================================
--- trunk/package/firewall/files/firewall.config	(revision 31216)
+++ trunk/package/firewall/files/firewall.config	(working copy)
@@ -1,8 +1,8 @@
 config defaults
 	option syn_flood	1
-	option input		ACCEPT
-	option output		ACCEPT 
-	option forward		REJECT
+	option input		DROP
+	option output		DROP
+	option forward		DROP
 # Uncomment this line to disable ipv6 rules
 #	option disable_ipv6	1
 
@@ -31,6 +31,7 @@
 config rule
 	option name		Allow-DHCP-Renew
 	option src		wan
+	option src_port	67
 	option proto		udp
 	option dest_port	68
 	option target		ACCEPT
@@ -64,15 +65,11 @@
 	option src		wan
 	option proto	icmp
 	list icmp_type		echo-request
-	list icmp_type		echo-reply
-	list icmp_type		destination-unreachable
-	list icmp_type		packet-too-big
-	list icmp_type		time-exceeded
-	list icmp_type		bad-header
-	list icmp_type		unknown-header-type
 	list icmp_type		router-solicitation
+	list icmp_type		router-advertisement
 	list icmp_type		neighbour-solicitation
-	option limit		1000/sec
+	list icmp_type		neighbour-advertisement
+	list icmp_type		redirect
 	option family		ipv6
 	option target		ACCEPT
 
@@ -83,13 +80,6 @@
 	option dest		*
 	option proto		icmp
 	list icmp_type		echo-request
-	list icmp_type		echo-reply
-	list icmp_type		destination-unreachable
-	list icmp_type		packet-too-big
-	list icmp_type		time-exceeded
-	list icmp_type		bad-header
-	list icmp_type		unknown-header-type
-	option limit		1000/sec
 	option family		ipv6
 	option target		ACCEPT
 

_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to