UFW easy feature additions request
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ufw |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
ufw 0.36
Recommendations are delimited by "=="
==
Add parameter PUBLIC=<interface> to /etc/ufw/uwf.conf
add "ufw-user-
one of these two chains.
:ufw-before-
-A INPUT -m addrtype --dst-type BROADCAST -j ufw-user-
-A INPUT -m addrtype --dst-type UNICAST -j ufw-user-input
Add "broadcast=yes" to parser for files in /etc/ufw/
(so far, I only see dhcpd needing this flag)
REASON: make it easier to define rules only for an Internet-facing ("public") interface; make it easier to block inbound amplification attacks on common ports like http/UDP, ping/ICMP, domain/UDP and ntp/UDP, while still allowing dhcpd/UDP broadcast. Documentation can include in its examples how to limit dhcpd to local interfaces.
==
Add TCP flag filtering, either standard or as an option:
:ufw-test-tcp-flags - [0:0]
-A INPUT -i PUBLIC -m conntrack -ctstate NEW -m tcp -p tcp -j ufw-test-tcp-flags
-A ufw-test-tcp-flags --tcp-flags ALL NONE -j DROP --comment>ALL-NONE
-A ufw-test-tcp-flags --tcp-flags ALL ALL -j DROP --comment>ALL-ALL
-A ufw-test-tcp-flags --tcp-flags SYN,FIN SYN,FIN -j DROP --comment>
-A ufw-test-tcp-flags --tcp-flags SYN,RST SYN,RST -j DROP --comment>
-A ufw-test-tcp-flags --tcp-flags FIN,RST FIN,RST -j DROP --comment>
-A ufw-test-tcp-flags --tcp-flags ACK,FIN FIN -j DROP --comment>
-A ufw-test-tcp-flags --tcp-flags ACK,PSH PSH -j DROP --comment>
-A ufw-test-tcp-flags tcp --tcp-flags ACK,URG URG -j DROP --comment>
REASON: limits certain forms of pen (penetration) testing as well as certain denial of service attacks by ne'er-do-wells.
==
In before.rules, add rate-limiting to ping:
-A ufw-before-input -m -p icmp --icmp-type echo-request -m limit --limit 3/s -j ACCEPT
REASON: reduces denial of service attacks both from the local LAN and from the public Internet.
===
Documentation: leave short note encouraging people to use sysctl.conf "rd_filter=2" for interfaces running on the public internet, and include RFC 1918 et seq black hole routes in the Linux routing table. FYI, I've attached a YAML file for netplan(5,8) that installs these blackhole routes; need to discuss how to make these available to everyone running Ubuntu 20.04 server edition at least. I also have a version that runs under NetworkManager, but it's only tested in CentOS -- I need to test it on Ubuntu 20.04 desktop edition.
REASON: limits the CPU load caused by certain DDoS attacks that use unrouteable source addresses.
| Stephen T Satchell (satch89521) wrote | #1 |
| Stephen T Satchell (satch89521) wrote | #2 |
| Stephen T Satchell (satch89521) wrote | #3 |
| Jamie Strandboge (jdstrand) wrote | #4 |
| Changed in ufw: | |
| status: | New → Invalid |
| Jamie Strandboge (jdstrand) wrote | #5 |
In reviewing my script to add blackhole routes for NetworkManager, it's required that the script know what interface the blackhole routes need to be associated with. This makes it difficult to use the Package Manager to distribute the script for NetworkManager. For netplan, the package will need to select an interface to which to associate the blackhole routes.
It's possible in both netplan and NetworkManager that the blackhole routes can be associated with the "lo" interface, which gets around this problem. If that works, then the blackhole route data can be packaged separately, say "netplan-rfc1918" and "NetworkManager