Adjust Rules concerning Unifi Controller. Add digfferent Parameters for block 'Protection against several attacks'.
This commit is contained in:
@ -110,3 +110,103 @@ provide_mailservice_from_local=true
|
||||
# -
|
||||
create_iperf_rules=false
|
||||
|
||||
|
||||
|
||||
# =============
|
||||
# --- Router IPv4
|
||||
# =============
|
||||
|
||||
# - Set to "true" to secure/tune the kernel
|
||||
# -
|
||||
adjust_kernel_parameters=true
|
||||
|
||||
# - Protection against several attacks
|
||||
# -
|
||||
protect_against_several_attacks=true
|
||||
|
||||
# Protection against syn-flooding
|
||||
#
|
||||
drop_syn_flood=true
|
||||
|
||||
# - I have to say that fragments scare me more than anything.
|
||||
# - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
|
||||
# - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
|
||||
# - fragments is very OS-dependent (see this paper for details).
|
||||
# - I am not going to trust any fragments.
|
||||
# - Log fragments just to see if we get any, and deny them too
|
||||
# -
|
||||
# - !! 'drop_fragments' does not work within telekom mobile connections !!
|
||||
# -
|
||||
drop_fragments=false
|
||||
|
||||
# drop new packages without syn flag
|
||||
#
|
||||
drop_new_not_sync=false
|
||||
|
||||
# drop invalid packages
|
||||
#
|
||||
drop_invalid_state=true
|
||||
|
||||
# drop packages with unusal flags
|
||||
#
|
||||
drop_invalid_flags=true
|
||||
|
||||
# Refuse private addresses on extern interfaces
|
||||
#
|
||||
# Refuse packets claiming to be from a
|
||||
# Class A private network
|
||||
# Class B private network
|
||||
# Class C private network
|
||||
# loopback interface
|
||||
# Class D multicast address
|
||||
# Class E reserved IP address
|
||||
# broadcast address
|
||||
drop_spoofed=true
|
||||
|
||||
# Don't allow spoofing from that server
|
||||
#
|
||||
drop_spoofed_out=true
|
||||
|
||||
# Refusing packets claiming to be to the loopback interface protects against
|
||||
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
||||
# quench to the loopback.
|
||||
drop_ext_to_lo=true
|
||||
|
||||
|
||||
|
||||
# =============
|
||||
# --- Router IPv6
|
||||
# =============
|
||||
|
||||
|
||||
# - Set to "true" to secure/tune the kernel
|
||||
# -
|
||||
adjust6_kernel_parameters=true
|
||||
|
||||
# - Protection against several attacks
|
||||
# -
|
||||
protect6_against_several_attacks=true
|
||||
|
||||
# Protection against syn-flooding
|
||||
#
|
||||
drop6_syn_flood=true
|
||||
|
||||
# drop new packages without syn flag
|
||||
#
|
||||
drop6_new_not_sync=true
|
||||
|
||||
# drop invalid packages
|
||||
#
|
||||
drop6_invalid_state=true
|
||||
|
||||
# drop packages with unusal flags
|
||||
#
|
||||
drop6_invalid_flags=true
|
||||
|
||||
# Refuse spoofed packets pretending to be from your IP address.
|
||||
#
|
||||
drop6_from_own_ip=true
|
||||
|
||||
# Refuse private addresses on extern interfaces
|
||||
#
|
||||
drop6_spoofed=true
|
||||
|
||||
@ -1737,11 +1737,59 @@ not_wanted_ident=true
|
||||
|
||||
# - Set to "true" to secure/tune the kernel
|
||||
# -
|
||||
adjust_kernel_parameters=true
|
||||
#adjust_kernel_parameters=true
|
||||
|
||||
# - Protection against several attacks
|
||||
# -
|
||||
protect_against_several_attacks=true
|
||||
#protect_against_several_attacks=true
|
||||
|
||||
# Protection against syn-flooding
|
||||
#
|
||||
#drop_syn_flood=false
|
||||
|
||||
# - I have to say that fragments scare me more than anything.
|
||||
# - Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
|
||||
# - Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
|
||||
# - fragments is very OS-dependent (see this paper for details).
|
||||
# - I am not going to trust any fragments.
|
||||
# - Log fragments just to see if we get any, and deny them too
|
||||
# -
|
||||
# - !! 'drop_fragments' does not work within telekom mobile connections !!
|
||||
# -
|
||||
#drop_fragments=true
|
||||
|
||||
# drop new packages without syn flag
|
||||
#
|
||||
#drop_new_not_sync=true
|
||||
|
||||
# drop invalid packages
|
||||
#
|
||||
#drop_invalid_state=true
|
||||
|
||||
# drop packages with unusal flags
|
||||
#
|
||||
#drop_invalid_flags=true
|
||||
|
||||
# Refuse private addresses on extern interfaces
|
||||
#
|
||||
# Refuse packets claiming to be from a
|
||||
# Class A private network
|
||||
# Class B private network
|
||||
# Class C private network
|
||||
# loopback interface
|
||||
# Class D multicast address
|
||||
# Class E reserved IP address
|
||||
# broadcast address
|
||||
#drop_spoofed=true
|
||||
|
||||
# Don't allow spoofing from that server
|
||||
#
|
||||
#drop_spoofed_out=true
|
||||
|
||||
# Refusing packets claiming to be to the loopback interface protects against
|
||||
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
||||
# quench to the loopback.
|
||||
#drop_ext_to_lo=true
|
||||
|
||||
|
||||
|
||||
|
||||
@ -1680,11 +1680,35 @@ not_wanted_ident=true
|
||||
|
||||
# - Set to "true" to secure/tune the kernel
|
||||
# -
|
||||
adjust_kernel_parameters=true
|
||||
#adjust6_kernel_parameters=true
|
||||
|
||||
# - Protection against several attacks
|
||||
# -
|
||||
protect_against_several_attacks=true
|
||||
#protect6_against_several_attacks=true
|
||||
|
||||
# Protection against syn-flooding
|
||||
#
|
||||
#drop6_syn_flood=false
|
||||
|
||||
# drop new packages without syn flag
|
||||
#
|
||||
#drop6_new_not_sync=true
|
||||
|
||||
# drop invalid packages
|
||||
#
|
||||
#drop6_invalid_state=true
|
||||
|
||||
# drop packages with unusal flags
|
||||
#
|
||||
#drop6_invalid_flags=true
|
||||
|
||||
# Refuse spoofed packets pretending to be from your IP address.
|
||||
#
|
||||
#drop6_from_own_ip=true
|
||||
|
||||
# Refuse private addresses on extern interfaces
|
||||
#
|
||||
#drop6_spoofed=true
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user