BFW Firewall & Router

[brahama]

Hi guys...

I decided to uncomment the rule for SYN, DoS, floods....and now..every time i reload the firewall rules cause i am adding a port forward for exmaple; this DoS Rules get duplicated....i think there should be only a couple of this and i am getting like 20....:0

416K 28M port-filter all -- any any anywhere anywhere
19347 1064K ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK
6 352 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK
0 0 if-filter all -- any any anywhere anywhere state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN,ACK

So i guess some script is not working as it should.....I will comment and reload and "uncomment" then and reload again to get only one..

But i see that the DoS and scanner rules which are:
# Attention: To enable the commands below can cause some side effects
# Syn-flood and DOS protection
#iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Port Scanners protection
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags ALL SYN,ACK -j DROP

Should i have all three un-commented or only the ports sacnners or dos protection....? or can all be un-commented...

Cheers and thanks,
Agustin

[bobbb]

Yes this is known... and I have written a solution.

http://bonomo.info/coyote/advanced2.html I will check to see if it is still correct for release 2.31.10

Here is the original post.
viewtopic.php?f=3&t=58453

[bobbb]

I have discovered another little problem with this and and testing it now.

The order in which the different scripts are run caused the changes in my instructions above (and the original post) to fail after a boot. It is now corrected and explained in that page above.

[brahama]

mm...i dont understand why there are rules in separate files if u say that you have to add the ./etc/...firewall.local
This will bring out an error cause the firewall.local wont find the chains that are created after its execution....

Why not put all the

iptables -N custom
iptables -I FORWARD -j custom
iptables -t mangle -N custom-pre
iptables -t mangle -N custom-out
iptables -t mangle -A PREROUTING -j custom-pre
iptables -t mangle -A OUTPUT -j custom-out

in the file firewall.local...

Cheers...

[bobbb]

The part (that you quote) in the local init script is only run once when the system starts... and yes it does give an error on the console. You don't want to run this everytime you re-load the firewall (they will always fail).

That is why I put in the last line to load the rules at start up because you may never reload the firewall after startup.

This is tested... Booted, re-booted, reload firewall again and again. It is the best that can be done without changing the distro.

[brahama]

Ahh...ok...so the first time to make it work i need to reboot the FW right?
So the Local Init Script..when the custom are created is only executed when the system boots?

Thanks mate again.....

Is there a tutorial or something where it is explained this kind of things..? i mean which scripts are executed first...and which ones later....which changes need to reboot the sistem? If not i will try to read the scripts and get an explanation and maybe post it....

[bobbb]

I have different tutorials on my site but none that tells you everything about BrazilFW. Each has its own subject and I try to explain just that little part. The one I mentioned above deals just with this part only of BFW.
http://bonomo.info/coyote/

..which changes need to reboot the sistem?

The system usually tells you when you change something and it requires a reboot. When you change the Local Init script it says you must reboot the system.

[brahama]

Cool...great tips...thanks as usual mate...