| Rev | Line | |
|---|
| [4999639] | 1 | # |
|---|
| 2 | # This file is used by /etc/init.d/setfilter |
|---|
| 3 | # |
|---|
| 4 | # Rules that should be stored in raw table. |
|---|
| 5 | # These are mainly used to filter evil or wrong packets. |
|---|
| 6 | |
|---|
| 7 | |
|---|
| 8 | *raw |
|---|
| 9 | :LOG_ICMP - [0:0] |
|---|
| 10 | :LOG_SPOOF - [0:0] |
|---|
| 11 | |
|---|
| 12 | ## LOG and DROP fragmented packets (not head fragments) |
|---|
| 13 | -A PREROUTING --fragment -j LOG --log-prefix "[UFW BLOCK FRAGMENTED]: " --log-level err -m limit --limit 3/min --limit-burst 10 |
|---|
| 14 | -A PREROUTING --fragment -j DROP |
|---|
| 15 | |
|---|
| 16 | ## LOG and DROP strange icmp packets |
|---|
| 17 | -A LOG_ICMP -j LOG --log-prefix "[UFW BLOCK BAD-ICMP]: " --log-level err -m limit --limit 3/min --limit-burst 10 |
|---|
| 18 | -A LOG_ICMP -j DROP |
|---|
| 19 | # Too large icmp requests |
|---|
| [c8daa69] | 20 | -A PREROUTING -p icmp --icmp-type echo-request -m length --length 128: -j LOG_ICMP |
|---|
| [4999639] | 21 | # Too many times of icmp requests (only 5 packets per second if over 10pkts/sec) |
|---|
| 22 | -A PREROUTING -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 10 -j ACCEPT |
|---|
| 23 | -A PREROUTING -p icmp --icmp-type echo-request -j LOG_ICMP |
|---|
| 24 | |
|---|
| 25 | ## LOG and DROP IP spoofing (eth1:WAN) |
|---|
| 26 | -A LOG_SPOOF -j LOG --log-prefix "[UFW BLOCK IP-SPOOFING]: " --log-level err -m limit --limit 3/min --limit-burst 10 |
|---|
| 27 | -A LOG_SPOOF -j DROP |
|---|
| 28 | -A PREROUTING -i eth1 -s 127.0.0.0/8 -j LOG_SPOOF |
|---|
| 29 | -A PREROUTING -i eth1 -s 10.0.0.0/8 -j LOG_SPOOF |
|---|
| 30 | -A PREROUTING -i eth1 -s 172.16.0.0/12 -j LOG_SPOOF |
|---|
| 31 | -A PREROUTING -i eth1 -s 192.168.0.0/16 -j LOG_SPOOF |
|---|
| 32 | |
|---|
| 33 | COMMIT |
|---|
Note: See
TracBrowser
for help on using the repository browser.
