From: Tom Hughes <tom@compton.nu>
Date: Sat, 4 Mar 2023 15:27:15 +0000 (+0000)
Subject: Make nftables block various invalid TCP flag combinations
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/29b8151b8011f934785f3434e3826eee78e61943?ds=sidebyside

Make nftables block various invalid TCP flag combinations
---

diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index cb9891624..63bcb908b 100644
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -70,6 +70,14 @@ table inet filter {
 
     meta l4proto { icmp, icmpv6 } jump log-and-drop
 
+    tcp flags fin,psh,urg / fin,syn,rst,psh,ack,urg jump log-and-drop
+    tcp flags ! fin,syn,rst,psh,ack,urg jump log-and-drop
+    tcp flags syn,rst / syn,rst jump log-and-drop
+    tcp flags fin,rst / fin,rst jump log-and-drop
+    tcp flags fin,syn / fin,syn jump log-and-drop
+    tcp flags fin,psh / fin,psh,ack jump log-and-drop
+    tcp sport 0 tcp flags syn / fin,syn,rst,ack jump log-and-drop
+
 <%- node[:networking][:firewall][:incoming].uniq.each do |rule| %>
     <%= rule %>
 <%- end %>