firewall: add rule for traceroute support

Running your firewall's "wan" zone in REJECT zone (1) exposes the
presence of the router, (2) depending on the sophistication of
fingerprinting tools might identify the OS and release running on
the firewall which then identifies known vulnerabilities with it
and (3) perhaps most importantly of all, your firewall can be
used in a DDoS reflection attack with spoofed traffic generating
ICMP Unreachables or TCP RST's to overwhelm a victim or saturate
his link.

This rule, when enabled, allows traceroute to work even when the
default input policy of the firewall for the wan zone has been
set to DROP.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index 8874e9882c3083932fc90e061739dc265992eb61..5e22f984ce9f9e0ef3bd63f73816356c2dd1d8df 100644 (file)
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -129,6 +129,19 @@ config rule
        option proto            udp
        option target           ACCEPT
 
+# allow interoperability with traceroute classic
+# note that traceroute uses a fixed port range, and depends on getting
+# back ICMP Unreachables.  if we're operating in DROP mode, it won't
+# work so we explicitly REJECT packets on these ports.
+config rule
+       option name             Support-UDP-Traceroute
+       option src              wan
+       option dest_port        33434:33689
+       option proto            udp
+       option family           ipv4
+       option target           REJECT
+       option enabled          false
+
 # include a file with users custom iptables rules
 config include
        option path /etc/firewall.user