Hi,
New to this forum, but not exactly a newbie. I have browsed/searched our forum topics here for an answer, but with little luck.
Some months ago I purchased a Protectli x86 device to be used with OpenWrt. I have spent many hours, trying different things but I have had no luck with logging such that I am not logging everything all the time.
By design, OpenWrt has a feature to handle SYN floods. But how can I log those SYN floods, even though OpenWrt mitigates them?
I have entered specific instructions in "firewall.user" to log everything. That was easy to do, but the system/kernel logs get too wordy and busy way too quickly with all kinds of other things. The older Cisco router that I have logs the SYN flood attacks from specific addresses but not all the other "good" traffic.
I tried using "hping3" from a different IP to test OpenWrt to see if it would log the SYN flood attempt, but nothing shows up in the system/kernel logs unless I log everything!
I am reluctant to use the Protectli as my main router until I am 100% sure that I have blocked most, if not all of the basic/advanced bad things that hackers attempt on a daily basis. To that end, things like WAN access to ssh/Luci/ping are of course blocked, but I have no way of knowing that I just got lucky or OpenWrt is doing its job, as I seem to lack the knowledge on how to log these specific and other events that I can synthetically create and test.
Thank you for taking the time to read this and if this is an old topic with an answer on this forum please leave a link for me here. Very much appreciated.
Assuming you're running a recent 22.03 (or SNAPSHOT), with fw4, then there's probably not a lot of history on this.
Would counters on the rules be a sufficient diagnostic? If so, you could hack /usr/share/firewall4/templates/ruleset.uc and change the syn_flood chain's rules to contain counters.
I edited the file down at about line 206 in my version, searched for 'syn_flood' and added the 'counter' values you see in the two locations below:
204 chain syn_flood {
205 limit rate {{ r.rate }}/{{ r.unit }}
206 {%- if (b): %} burst {{ b }} packets{% endif %} counter return comment "!fw4: Accept SYN packets below rate-limit"
207 counter drop comment "!fw4: Drop excess packets"
208 }
Next up, verify that you didn't break anything:
fw4 check
Assuming that went well,
fw4 reload
then check the values of the counters
nft list chain inet fw4 syn_flood
Run your hping on the other machine, then show the chain again. Should show you the number of packets and bytes that got passed through those rules.