DDoS protection on Tomato

Discussion in 'Tomato Firmware' started by rs232, Jan 31, 2019.

Tags:
  1. rs232

    rs232 Network Guru Member

    I was just installing a bespoke outdoor CPE (not tomato) and I came across an interesting config page.
    I'm wondering how tomato is (or isn't) protecting against each of the following:


    ScreenShot033.png

    Perhaps there are some good ideas to be implemented from this.

    Any comment?
     
  2. rgnldo

    rgnldo Networkin' Nut Member

    This suggestion is very simple. However, this is contemplated in Administration -> Scripts -> Firewall. Just add an iptables script.
    Code:
    iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
    iptables -A FORWARD -p tcp -m limit –limit 1/s -j ACCEPT
    iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
    iptables -A FORWARD –protocol tcp –tcp-flags ALL SYN,ACK -j DROP
    iptables -A FORWARD -m unclean -j DROP
     
  3. rs232

    rs232 Network Guru Member

    Thanks

    I think what I was suggesting here was to go through the list as per image I posted, check what tomato already does (e.g. "Reject echo requests" is already an option that has been there for years). See what is missing.

    Also allow me: block and limit are two different things.

    My OP was looking for expertise/feedback to identify gaps and hopefully implement in the GUI under the firewall page. So your post though is very much appreciated as it does address partially what hopefully a GUI modification should cover.
     
  4. M_ars

    M_ars Network Guru Member

    rgnldo likes this.
  5. rgnldo

    rgnldo Networkin' Nut Member

    Maybe this is not what you want this post
     
  6. rgnldo

    rgnldo Networkin' Nut Member

    I do not know much about web language and commands. This implementation may hamper other FreshTomato implementations

    The fact is that there is no magic solution, setup or product that is able to mitigate these attacks completely, but rather the implementation of several counter measures, depending of course on your environment and your pocket to minimize them, without speaking in that old saying "Have a weapon greater than that of your enemy", which in this case is band.

    Solution that really works:
    ConfigServer Security & Firewall (csf)
    https://www.configserver.com/cp/csf.html


    There is Adamm's Skynet project, which is aimed at the Merlin community. You can make an adjustment.
    https://raw.githubusercontent.com/Adamm00/IPSet_ASUS/master/firewall.sh
     
    Last edited: Jan 31, 2019
  7. Elfew

    Elfew Network Guru Member

    It would be nice addition and an extra layer of security :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice