Forgot to say 2 weeks ago, thanks for the hint on the counter on my custom chain.
Here's another counter question: is there some way to turn on counters for each of the auto-generated rules/chains created to implement what's configured in /etc/config/firewall? Many but not all of the rules have counters on them in 22.03.0-rc1
How can I translate that to fw4 /etc/config/firewall?
So far my attempt looked like below however tcpdump shows a lot of connections to different addresses.
config redirect
option name 'IoT NTP redirect to router'
list proto 'udp'
option src 'IoT'
option src_dport '123'
option dest_port '123'
option src_dip '!192.168.1.1'
option dest_ip '192.168.1.1'
option target 'DNAT'
option dest 'IoT' # that is actually router interface 192.168.1.1
config redirect
option name 'lan NTP redirect to router'
list proto 'udp'
option src 'lan'
option src_dport '123'
option dest_port '123'
option src_dip '!10.0.0.1'
option dest_ip '10.0.0.1'
option target 'DNAT'
option dest 'lan' # that is actually router interface 10.0.0.1
# /etc/nftables.d/90-mangle-ttl.nft
chain mangle_ttl_out {
type filter hook postrouting priority mangle;
meta nfproto ipv4 oifname eth2 ip ttl set 64
}
chain mangle_ttl_in {
type filter hook prerouting priority mangle;
meta nfproto ipv4 iifname eth2 ip ttl 1 ip ttl set 5
}
Notes:
If you want to treat IPv6 as well, remove the meta nfproto ipv4 part.
nftables does not support an equivalent to iptables' --ttl-inc yet, but since "match ttl 1, increment by 4" is just a static rewrite from TTL 1 to TTL 5 basically, a fixed nftables set expression will do the job as well.
is there any fw4 rule to masquerade and forward all internet dns request to local dns server? i m using below port forward/redirect rule for ipv4 traffic but not able to get ipv6 working other than just blocking.
i know we cant masquerade ipv6 traffic since there is no nat. not sure if there is any option other than blocking outright, pls suggest.
config redirect
option dest 'lan'
option target 'DNAT'
option src 'lan'
option src_ip '!192.168.1.250'
option src_dport '53'
option name 'redirect-DNS'
I think it was an oversight in the initial implementation since the enabled variable is present in parse_include() but not checked. I think @jow can fix it easily when he has time.
I used to use the instructions here for ipv6 DoH blocking under fw3, but this doesn't seem to work on fw4 and gives a couple of errors - one about the reload option no longer be valid and one about not finding the ip6tables-restore command. Not sure who maintains that page, but it has always been reliable in the past so hopefully they will update in time... I don't understand enough about fw4 to adapt it.
I am looking for some input on how to properly throttle incoming connections with 22.03(rc6).
The target is to throttle "every" incoming IP separately to have at most something like 10 connections/minute on average (maybe allowing some bursts). If they exceed, give them a "cooldown" (dropping all their packages) until they stay under the limit for a timeout (like 5mins).
Such a feature would reduce the attack-surface for an amount of SSH/SMTP/HTTP/port scannings I am seeing. I would imagine this could be a quite useful tool for many home routers, with basically just one tunable knob: "Throttle incoming connections/s to".
The LUCI rules will not work, as they apply evenly across all incoming connections (does not discriminate between source IPs). For example, I don't want to lock myself out
Where can i find the relevant docs on how to correctly use fw4/nft/ipset under OpenWRT? Do i just start dropping nft declarations in /etc/nftables.d/? Is there an architecture document somewhere?
Does anyone already have such a thing? (I tried googling for a while
fail2ban does something like that. You should look into it Also, with a properly configured firewall, port scans really do not matter at all if you don't have anything listening on those ports. I wouldn't worry about it.
If you do have something listening on outside ports, such as SSH, you should reconsider your setup. Use a VPN such as wireguard that does not respond to port scans at all, and use the VPN to connect services such as SSH. That would greatly reduce your attack surface.
This is easily done with a meter... say throttling incoming ssh
table ...{
chain ...{
...
meta nfproto ipv4 tcp dport 22 ct state new add @my_ssh_meter4 {ip saddr limit rate over 10/minute burst 10 } drop
meta nfproto ipv6 tcp dport 22 ct state new add @my_ssh_meter6 {ip6 saddr limit rate over 10/minute burst 10 } drop
...
}
}
thanks for that tip. It looks like i really should just explore nft
I still struggle to find good docs on the architecture of fw4, so which files go where, when and how are they reloaded. All the docs on the wiki seem to be fw3.
Thanks for the pointer. I am not trying to hide my whole network, so VPN is really not the right thing (even though I am using WG for remote-admin access).
I am trying to make it less risky to expose services (including SSH, Home-assistant, MQTT, ...) towards the big bad internet (especially as I can get public IPv6). Connect/scan-throttles can certainly help with that -- reducing some of the more "brute" attack surface.
Yes this is a good idea and nftables meters are a great way. A brute force search at 10/min has zero chance of succeeding with decent passwords etc. I do this in my own firewall for any service on the public internet. The other thing I do is randomly subsample the resulting logged packets, because it's easily the case that I can get hundreds of attempts per minute, so I randomly sample 2-3% of them to keep the logs less messy
Ah, you could try port-knocking to make a few services somewhat less obvious to reach... while not really a secure method (unless you essentially use single-usage knock sequences changed for every try or so) more obscurity, but could help to get your services out of the cone of typical opportunistic port scans...