From: Philip Prindeville Date: Tue, 28 Apr 2020 00:52:51 +0000 (-0600) Subject: firewall: add rule for traceroute support X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=de8b88ce17c3e19cf1fe366be0de2e3c376762b0;p=openwrt%2Fstaging%2Frmilecki.git firewall: add rule for traceroute support Running your firewall's "wan" zone in REJECT zone (1) exposes the presence of the router, (2) depending on the sophistication of fingerprinting tools might identify the OS and release running on the firewall which then identifies known vulnerabilities with it and (3) perhaps most importantly of all, your firewall can be used in a DDoS reflection attack with spoofed traffic generating ICMP Unreachables or TCP RST's to overwhelm a victim or saturate his link. This rule, when enabled, allows traceroute to work even when the default input policy of the firewall for the wan zone has been set to DROP. Signed-off-by: Philip Prindeville --- diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config index 8874e9882c3..5e22f984ce9 100644 --- a/package/network/config/firewall/files/firewall.config +++ b/package/network/config/firewall/files/firewall.config @@ -129,6 +129,19 @@ config rule option proto udp option target ACCEPT +# allow interoperability with traceroute classic +# note that traceroute uses a fixed port range, and depends on getting +# back ICMP Unreachables. if we're operating in DROP mode, it won't +# work so we explicitly REJECT packets on these ports. +config rule + option name Support-UDP-Traceroute + option src wan + option dest_port 33434:33689 + option proto udp + option family ipv4 + option target REJECT + option enabled false + # include a file with users custom iptables rules config include option path /etc/firewall.user