diff --git a/ChangeLog b/ChangeLog index d1a19a7..f303901 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,8 +2,6 @@ - Reorder rules, place allow before block to allow overrides - Fixes for conntrack rules for better security (added -o/-i) - Correct some incorrect info in options.default - - Add NTPDDOSRATELIMIT to IPV4_HACKS as a basic protection against being - used as a NTP DDoS source. Not well tested, use at own risk. 1.0 - Brielle Bruns - Minor tweaks to various config files diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 25f486e..3cf11d8 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -203,8 +203,9 @@ if [ "$IPTABLES_MULTIPORT" ]; then fi # Trying to better clean up some of my code, so lets try using a blackhole target -$IPTABLES -N BLACKHOLE -$IPTABLES -A BLACKHOLE -j DROP +$IPTABLES -N BLACKHOLE-IN +$IPTABLES -N BLACKHOLE-OUT + $IPTABLES -A INPUT -i lo -j ACCEPT diff --git a/include/functions b/include/functions index 781328a..ac6509e 100755 --- a/include/functions +++ b/include/functions @@ -160,17 +160,6 @@ function apply_ipv4_hack { fi done ;; - NTPDDOSRATELIMIT) - # Rate limit NTP DDOS UDP traffic using rules provided on the nanog list by - # pashdown@xmission.com - $IPTABLES -N NTP - $IPTABLES -I BLACKHOLE 1 -m recent --set --name ntpv4blackhole --rsource - $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name \ - ntpv4 --rsource -j BLACKHOLE - $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name \ - ntpv4blackhole --rsource -j DROP - $IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT - $IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP esac shift done diff --git a/options.default b/options.default index 681b56c..f47255a 100755 --- a/options.default +++ b/options.default @@ -150,10 +150,6 @@ DONTTRACK="127.0.0.1" # I have things going through specific wires for a reason. This fixes # that and makes it behave as expected. # -# NTPDDOSRATELIMIT - Basic form of rate limiting/blocking on incoming NTP traffic -# that may cause local NTP server to be used in a DDoS attack. -# Not well tested yet, use at own risk. -# #HACK_IPV4="NS-IN-DDOS" # IP Ranges to block all traffic incoming/outgoing