Make nftables block various invalid TCP flag combinations

author Tom Hughes <tom@compton.nu>

Sat, 4 Mar 2023 15:27:15 +0000 (15:27 +0000)

committer Tom Hughes <tom@compton.nu>

Sat, 4 Mar 2023 15:27:15 +0000 (15:27 +0000)
author Tom Hughes <tom@compton.nu>
Sat, 4 Mar 2023 15:27:15 +0000 (15:27 +0000)
committer Tom Hughes <tom@compton.nu>
Sat, 4 Mar 2023 15:27:15 +0000 (15:27 +0000)
diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb

index cb9891624da3f35e36f13790b7aa365cce3fa589..63bcb908bb0746f9962f1a319cf60880e5ede675 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -70,6 +70,14 @@ table inet filter {
  
      meta l4proto { icmp, icmpv6 } jump log-and-drop
  
+    tcp flags fin,psh,urg / fin,syn,rst,psh,ack,urg jump log-and-drop
+    tcp flags ! fin,syn,rst,psh,ack,urg jump log-and-drop
+    tcp flags syn,rst / syn,rst jump log-and-drop
+    tcp flags fin,rst / fin,rst jump log-and-drop
+    tcp flags fin,syn / fin,syn jump log-and-drop
+    tcp flags fin,psh / fin,psh,ack jump log-and-drop
+    tcp sport 0 tcp flags syn / fin,syn,rst,ack jump log-and-drop
+
  <%- node[:networking][:firewall][:incoming].uniq.each do |rule| %>
      <%= rule %>
  <%- end %>
author	Tom Hughes <tom@compton.nu>
	Sat, 4 Mar 2023 15:27:15 +0000 (15:27 +0000)
committer	Tom Hughes <tom@compton.nu>
	Sat, 4 Mar 2023 15:27:15 +0000 (15:27 +0000)