On 15-11-20, Baptiste Jonglez wrote: > There are two solutions to fix/workaround the problem: > > 1) randomize ICMP rate limiting (done in upstream kernel, there are > already OpenWrt patches to update it)
I just checked, here are stable kernel versions containing the fix:
- 4.9.241
- 4.14.203
- 4.19.153
- 5.4.73
And here are our current kernel versions:
- 18.06: 4.9.243 and 4.14.206
- 19.07: 4.14.202
- master: 5.4.75
So, only 19.07 needs a kernel bump (which is already in progress), and
then the fix can go in new stable releases.
> 2) don't send these ICMP messages on WAN for closed ports (change the
> default rule to DROP instead of REJECT, at least for UDP)
For the record, to do this, the input option of the WAN zone needs to
be changed to "DROP" in /etc/config/firewall:
config zone
option name wan
...
option input DROP
...
and then call "/etc/init.d/firewall reload".
To automate the change (warning: this will remove all comments in your
firewall configuration, and it assumes WAN is the last zone):
uci get firewall.@zone[-1].name
# Check that it's indeed "wan"
uci set firewall.@zone[-1].input=DROP
uci commit firewall
/etc/init.d/firewall reload
signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
