$NAT_MODE = uc($$hash{$key}[31]);
}
+ # Enable SYN flood protection?
+ my $SYN_FLOOD_PROTECTION = 0;
+
# Set up time constraints.
my @time_options = ();
if ($$hash{$key}[18] eq 'ON') {
}
}
+ # DoS Protection
+ if (($elements ge 38) && ($$hash{$key}[37] eq "ON")) {
+ $SYN_FLOOD_PROTECTION = 1;
+ }
+
# Check which protocols are used in this rule and so that we can
# later group rules by protocols.
my @protocols = &get_protocols($hash, $key);
}
run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target");
+ if ($SYN_FLOOD_PROTECTION && ($protocol eq "tcp")) {
+ run("$IPTABLES -t raw -A SYN_FLOOD_PROTECT @options -j CT --notrack");
+ }
+
# Handle forwarding rules and add corresponding rules for firewall access.
if ($chain eq $CHAIN_FORWARD) {
# If the firewall is part of the destination subnet and access to the destination network
iptables -t nat -N REDNAT
iptables -t nat -A POSTROUTING -j REDNAT
+ # SYN Flood Protection
+ iptables -t raw -N SYN_FLOOD_PROTECT
+ iptables -t raw -A PREROUTING -p tcp --syn -j SYN_FLOOD_PROTECT
+
# Populate IPsec chains
/usr/lib/firewall/ipsec-policy
projects / ipfire-2.x.git / commitdiff
