MAJOR: config: prevent QUIC with clients privileged port by default

Previous commit introduce new protection mechanism to forbid
communications with clients which use a privileged source port. By
default, this mechanism is disabled for every protocols.

This patch changes the default value and activate the protection
mechanism for QUIC protocol. This is justified as it is a probable sign
of DNS/NTP amplification attack.

This is labelled as major as it can be a breaking change with some
network environments.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index ef0cf8ea26bfe3234f972c35d88249ae4b439872..8f58d40e2ac9feb2b470c9f8e4e9f395fe61f50e 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1950,7 +1950,9 @@ harden.reject-privileged-ports.tcp { on | off }
 harden.reject-privileged-ports.quic { on | off }
   Toggle per protocol protection which forbid communication with clients which
   use privileged ports as their source port. This range of ports is defined
-  according to RFC 6335. Protection is inactive by default on both protocols.
+  according to RFC 6335. By default, protection is active for QUIC protocol as
+  this behavior is suspicious and may be used as a spoofing or DNS/NTP
+  amplification attack.
 
 http-err-codes [+-]<range>[,...] [...]
   Replace, reduce or extend the list of status codes that define an error as

diff --git a/src/haproxy.c b/src/haproxy.c
index 30df816ff8018ff59b4c78efc22d1463f6fd0abc..c987fdbfa771a664a3b3078313cc81ab05d4f5a7 100644 (file)
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -210,8 +210,8 @@ struct global global = {
        .maxsslconn = DEFAULT_MAXSSLCONN,
 #endif
 #endif
-       /* by default do not protect against clients using privileged port */
-       .clt_privileged_ports = HA_PROTO_ANY,
+       /* by default allow clients which use a privileged port for TCP only */
+       .clt_privileged_ports = HA_PROTO_TCP,
        /* others NULL OK */
 };