Drop Invalid Packets--should I enable

Would you enable this firewall setting? In researching, I found some complaints that enabling does not properly update the iptables, but if the chain is correct, this was later fixed. Yet it is disabled by default. Would you enable it?

Absolutely, it is enabled on my device.

It's been disabled on every version of the firmware I've ever used - I've had to manually enable it. I receive quite a few [crafted] packets on my WAN that have flags enabled in invalid combinations.

It works perfectly enabled. I'm not sure about your concern. I only assumed that it was an option in case the router's owner expected packets with intentionally invalid flag combinations. I've never had a scripting issue. I've previously had issues with other FW sections (adding does-not-equal and custom rules); but those were fixed.

Some vulnerabilities are known to exploit such types of packets.

A "Christmas tree packet" is one example that the "drop invalid" firewall option would prevent. See: https://en.wikipedia.org/wiki/Christmas_tree_packet

1 Like

As always, thank you lleachii for your quick response. Is there e a log file you go to see if you've gotten invalid packets. Also, in the general settings, do you leave the defaults the same? Input = Accept Output = Accept Forward = Reject. Or would you change the Forward to Drop? thanks again--

Yes, you can do an iptables LIST command or browse to the firewall tab on LuCI:

8280 429.88 KB DROP all * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3 */

I do not leave the defaults the same. This is because I have a subnet on a Layer 3 tunnel. Since there isn't an 'interface' (and therefore no firewall zone to assign), I must set the general settings to DROP to prevent forwarding of those packets at the end of chain processing.

1 Like

Thanks again.

Enabling this helped me eliminate this problem

[20334.729186] net_ratelimit: 7 callbacks suppressed
[20334.729199] br-lan: received packet on eth0.4 with own address as source address (addr:c4:6e:1f:08:xx:xx, vlan:0)
[20334.744517] br-lan: received packet on eth0.4 with own address as source address (addr:c4:6e:1f:08:xx:xx, vlan:0)
[20334.755041] br-lan: received packet on eth0.4 with own address as source address (addr:c4:6e:1f:08:xx:xx, vlan:0)
[20334.765534] br-lan: received packet on eth0.4 with own address as source address (addr:c4:6e:1f:08:xx:xx, vlan:0)
[20334.776029] br-lan: received packet on eth0.4 with own address as source address (addr:c4:6e:1f:08:xx:xx, vlan:0)
[20334.787236] br-lan: received packet on eth0.4 with own address as source address (addr:c4:6e:1f:08:xx:xx, vlan:0)

but first I had to make sure STP was working on each device by splitting each port of the internal switch into different VLANs (which are bridged together).