How to stop SYN packets using fw4?

bmx29 · January 31, 2023, 11:44pm

Hello,

I recently installed stable openwrt-22.03 by hnyman. I don't know how to handle SYN scans on the WAN interface that show up every few seconds. I don't want the router to respond to them, just drop them.

syn1

I have tried several commands which unfortunately do not work. I am not sure if they are correct and if I need to reload firewall.

nft add rule inet fw4 input_wan tcp flags \& \(syn\|rst\) == \(syn\|rst\) drop
nft add rule inet fw4 input_wan tcp flags \& \(fin\|syn\|rst\|psh\|ack\|urg\) == 0x0 counter drop

Can someone point me in the right direction?

Bill · January 31, 2023, 11:57pm

I would think that any changes to the user firewall would require a restart.

uci commit firewall; /etc/init.d/firewall restart

stangri · February 1, 2023, 12:46am

Actually, that would wipe out the nft rules added manually as per OPs post.

lleachii · February 1, 2023, 6:06am

I had a similar inquiry:

[22.03] Translate extra/raw firewall rules

How would I translate?

config rule
	option proto 'tcp'
	option name 'Block_In_Not_SYN'
	option src '*'
	option target 'DROP'
	option extra '! --syn -m conntrack --ctstate NEW'

config rule
	option name 'Block_FWD_Not_SYN'
	option proto 'tcp'
	option src '*'
	option dest '*'
	option target 'DROP'
	option extra '! --syn -m conntrack --ctstate NEW'

No. 1 firewalls nearly 70% of my unsolicited

bmx29 · February 1, 2023, 5:37pm

I inserted the recommended rules from another thread into each input and input_wan chain without any effect. I also tried putting them in /etc/nftables.d/10-custom-filter-chains.nft

        # Drop XMAS packets.
        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop

        # Drop NULL packets.
        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop

Only after I changed the input action in the wan zone from reject to drop it works as intended.