Running your firewall's "wan" zone in REJECT zone (1) exposes the
presence of the router, (2) depending on the sophistication of
fingerprinting tools might identify the OS and release running on
the firewall which then identifies known vulnerabilities with it
and (3) perhaps most importantly of all, your firewall can be
used in a DDoS reflection attack with spoofed traffic generating
ICMP Unreachables or TCP RST's to overwhelm a victim or saturate
his link.
This rule, when enabled, allows traceroute to work even when the
default input policy of the firewall for the wan zone has been
set to DROP.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
option proto udp
option target ACCEPT
+# allow interoperability with traceroute classic
+# note that traceroute uses a fixed port range, and depends on getting
+# back ICMP Unreachables. if we're operating in DROP mode, it won't
+# work so we explicitly REJECT packets on these ports.
+config rule
+ option name Support-UDP-Traceroute
+ option src wan
+ option dest_port 33434:33689
+ option proto udp
+ option family ipv4
+ option target REJECT
+ option enabled false
+
# include a file with users custom iptables rules
config include
option path /etc/firewall.user