Would you enable this firewall setting? In researching, I found some complaints that enabling does not properly update the iptables, but if the chain is correct, this was later fixed. Yet it is disabled by default. Would you enable it?
Absolutely, it is enabled on my device.
It's been disabled on every version of the firmware I've ever used - I've had to manually enable it. I receive quite a few [crafted] packets on my WAN that have flags enabled in invalid combinations.
It works perfectly enabled. I'm not sure about your concern. I only assumed that it was an option in case the router's owner expected packets with intentionally invalid flag combinations. I've never had a scripting issue. I've previously had issues with other FW sections (adding does-not-equal and custom rules); but those were fixed.
Some vulnerabilities are known to exploit such types of packets.
A "Christmas tree packet" is one example that the "drop invalid" firewall option would prevent. See: https://en.wikipedia.org/wiki/Christmas_tree_packet
3 Likes
As always, thank you lleachii for your quick response. Is there e a log file you go to see if you've gotten invalid packets. Also, in the general settings, do you leave the defaults the same? Input = Accept Output = Accept Forward = Reject. Or would you change the Forward to Drop? thanks again--
Yes, you can do an iptables LIST command or browse to the firewall tab on LuCI:
8280 429.88 KB DROP all * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3 */
I do not leave the defaults the same. This is because I have a subnet on a Layer 3 tunnel. Since there isn't an 'interface' (and therefore no firewall zone to assign), I must set the general settings to DROP to prevent forwarding of those packets at the end of chain processing.
1 Like
Thanks again.
Enabling this helped me eliminate this problem
[20334.729186] net_ratelimit: 7 callbacks suppressed
[20334.729199] br-lan: received packet on eth0.4 with own address as source address (addr:c4:6e:1f:08:xx:xx, vlan:0)
[20334.744517] br-lan: received packet on eth0.4 with own address as source address (addr:c4:6e:1f:08:xx:xx, vlan:0)
[20334.755041] br-lan: received packet on eth0.4 with own address as source address (addr:c4:6e:1f:08:xx:xx, vlan:0)
[20334.765534] br-lan: received packet on eth0.4 with own address as source address (addr:c4:6e:1f:08:xx:xx, vlan:0)
[20334.776029] br-lan: received packet on eth0.4 with own address as source address (addr:c4:6e:1f:08:xx:xx, vlan:0)
[20334.787236] br-lan: received packet on eth0.4 with own address as source address (addr:c4:6e:1f:08:xx:xx, vlan:0)
but first I had to make sure STP was working on each device by splitting each port of the internal switch into different VLANs (which are bridged together).
As a note to anyone who may find this, this setting caused my router to drop packets from my 2nd VLAN on another switch. I have a cisco switch behind my router with IP routing and other VLANs I use for work stuff. I turned this on and I could still ping the systems on the other vlan, but basically nothing else...took me a little bit to narrow it down to this setting as I kind of enabled it as an afterthought while doing other stuff. Might save someone a little headache someday so thought I would post.
4 Likes
If you have asymmetric routing in your network, like in your case you have to disable it.
There is also per zone setting uci set firewall.lan.masq_allow_invalid='1'
3 Likes