source: lab.git/iptables/ufw/raw.rules @ c273ad8

trunk
Last change on this file since c273ad8 was c8daa69, checked in by mitty <mitty@…>, 15 years ago
  • FIX: increase acceptable icmp packet size limit
    • ping 192.168.100.254 -n 1
      PING 1 (0.0.0.1) 56(124) bytes of data.
      --- 1 ping statistics ---
      23 packets transmitted, 0 received, 100% packet loss, time 22381ms
      

git-svn-id: https://lab.mitty.jp/svn/lab/trunk@15 7d2118f6-f56c-43e7-95a2-4bb3031d96e7

  • Property mode set to 100644
File size: 1.3 KB
Line 
1#
2# This file is used by /etc/init.d/setfilter
3#
4# Rules that should be stored in raw table.
5# These are mainly used to filter evil or wrong packets.
6
7
8*raw
9:LOG_ICMP - [0:0]
10:LOG_SPOOF - [0:0]
11
12## LOG and DROP fragmented packets (not head fragments)
13-A PREROUTING --fragment -j LOG --log-prefix "[UFW BLOCK FRAGMENTED]: " --log-level err -m limit --limit 3/min --limit-burst 10
14-A PREROUTING --fragment -j DROP
15
16## LOG and DROP strange icmp packets
17-A LOG_ICMP -j LOG --log-prefix "[UFW BLOCK BAD-ICMP]: " --log-level err -m limit --limit 3/min --limit-burst 10
18-A LOG_ICMP -j DROP
19# Too large icmp requests
20-A PREROUTING -p icmp --icmp-type echo-request -m length --length 128: -j LOG_ICMP
21# Too many times of icmp requests (only 5 packets per second if over 10pkts/sec)
22-A PREROUTING -p icmp --icmp-type echo-request -m limit --limit 5/s --limit-burst 10 -j ACCEPT
23-A PREROUTING -p icmp --icmp-type echo-request -j LOG_ICMP
24
25## LOG and DROP IP spoofing (eth1:WAN)
26-A LOG_SPOOF -j LOG --log-prefix "[UFW BLOCK IP-SPOOFING]: " --log-level err -m limit --limit 3/min --limit-burst 10
27-A LOG_SPOOF -j DROP
28-A PREROUTING -i eth1 -s    127.0.0.0/8 -j LOG_SPOOF
29-A PREROUTING -i eth1 -s     10.0.0.0/8 -j LOG_SPOOF
30-A PREROUTING -i eth1 -s  172.16.0.0/12 -j LOG_SPOOF
31-A PREROUTING -i eth1 -s 192.168.0.0/16 -j LOG_SPOOF
32
33COMMIT
Note: See TracBrowser for help on using the repository browser.