I've told you in PM's that there's many reports on the net about false matches causing valid traffic to be dropped too. Users need to watch out for problems with it, although I do think it should be a GUI option defaulted off at first.
Quote:
ping flood protection
bruteforce attack protection to port 20,21,22,23,3389, 5900 ('recent' method)
All ICMP is blocked on the WAN by default so it only matters if you want to allow ICMP. My patch fixes the GUI options for SSH and Telnet bruteforce protection to use -m recent and also makes DD-WRT always have a logbrute chain in iptables for people to easily add it for any other ports they want to secure.
Quote:
asiablock - lock out south-east asia (notorious spammers)
worldblock - lock out all foreign countries
birmablock - lock out abusers with additional script
Dirty blacklisting that can block good users and should only be used with care. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 24 Aug 2009 Posts: 2070 Location: South Florida
Posted: Wed May 18, 2011 15:26 Post subject:
phuzi0n wrote:
Quote:
addition of an INVALID drop
I've told you in PM's that there's many reports on the net about false matches causing valid traffic to be dropped too. Users need to watch out for problems with it, although I do think it should be a GUI option defaulted off at first.
Quote:
ping flood protection
bruteforce attack protection to port 20,21,22,23,3389, 5900 ('recent' method)
All ICMP is blocked on the WAN by default so it only matters if you want to allow ICMP. My patch fixes the GUI options for SSH and Telnet bruteforce protection to use -m recent and also makes DD-WRT always have a logbrute chain in iptables for people to easily add it for any other ports they want to secure.
Quote:
asiablock - lock out south-east asia (notorious spammers)
worldblock - lock out all foreign countries
birmablock - lock out abusers with additional script
Dirty blacklisting that can block good users and should only be used with care.
The INVALID rule is implemented by default in both Tomato and Open-WRT firewalls. Furthermore, the Policy is set to DROP by default (at least in Tomato) not ACCEPT. I believe this to be a better practice. If you can explain to me otherwise, I'd like to know..
_________________ Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
I've told you in PM's that there's many reports on the net about false matches causing valid traffic to be dropped too. Users need to watch out for problems with it, although I do think it should be a GUI option defaulted off at first.
INVALID DROP is more a performance feature. All subsequent rules are with a NEW and wouldn't match anyhow. Having an IN VALID DROP just make subsequent rules easier to add because you don't have to test its state anymore.
Some dual-wan routers send some packets mid-stream over another wan-interface. These packets will get dropped by the endpoint anyhow. It's just part of sanity checking.
Your patch, just like mine, is just a patch.I would love to see it in the firmware itself and make my set of patches become obsolete. 'fixtables' is not the holy grail although some propagate it a such with the best intentions. _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
The INVALID rule is implemented by default in both Tomato and Open-WRT firewalls. Furthermore, the Policy is set to DROP by default (at least in Tomato) not ACCEPT. I believe this to be a better practice. If you can explain to me otherwise, I'd like to know..
I already said that I agree that it should be implemented, it's just a big change that needs to be tested slowly before potentially causing huge headaches. From the man page itself:
Quote:
Possible states are INVALID meaning that the packet could not be identified for some reason which includes running out of memory and ICMP errors which don't correspond to any known connection
There's nothing wrong with the counters, you don't have any rules referencing the chain so no traffic is going to it. You need to use the GUI options for bruteforce protection or jump to the logbrute chain with your own rules to use it. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Your patch, just like mine, is just a patch.I would love to see it in the firmware itself and make my set of patches become obsolete. 'fixtables' is not the holy grail although some propagate it a such with the best intentions.
No, my patch is a patch that landed already and is in the firmware! _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)