[wishlist] ufw enforce RFC packets
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ufw (Ubuntu) |
Confirmed
|
Wishlist
|
Unassigned | ||
Bug Description
Binary package hint: ufw
I would like to petition for adding the following rules to the default UFW. These rules drop all packets that make no earthly sense. These packets only exist from scanners (or really, really, really broken TCP stacks), and as such are safely ignored. Their blocking will help make scanning Ubuntu boxes with UFW enabled that much harder.
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A CheckRFC -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN,RST FIN,SYN,RST -j DROP
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN,
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN,
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN,
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN,
-A CheckRFC -p tcp -m tcp --tcp-flags FIN,SYN,
-A CheckRFC -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A CheckRFC -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
Not a single packet listed above is valid, but they are rather easy to make with nmap. Since they have no legit purpose for entering any server, why not simply ignore them? Since these can only be nonsense, placing them above the RELATED,ESTABLISHED rules is safe and can also serve to help prevent against malicious disconnects. It is harder to screwup someone's connection when you can only inject valid packets. The data may still cause issues, but it is at least something.
| Changed in ufw: | |
| importance: | Undecided → Wishlist |
| status: | New → Confirmed |
