Admin Restrictions - Limit Connection Attempts leads to no firewall (WebUI bug -> security problem)

freshtomato-WS880-ARM_NG-2020.3-AIO-64K.trx

Total / Free NVRAM 64.00 KB / 25.74 KB

‌

On /admin-access.asp, Admin Restrictions - Limit Connection Attempts allows to enter a count up to 100. However, the value larger than 19 leads to failure to reload filter table rules. Failure is in no way reflected in web UI. If the router is subsequently rebooted, it is left without firewall.

Log record is:

Jun  7 16:48:21 router user.crit preinit[1]: Error while loading rules. See /etc/iptables.error file.
Jun  7 16:48:21 router kern.info kernel: xt_recent: hitcount (100) is larger than packets to be remembered (20)

Note that the value in the iptables rule is 1 greater than the entered value, so the field should be limited to 19. For example, if the entered count is 19 for every 30 seconds, then the created iptables rule is

-A shlimit -m recent --update --seconds 30 --hitcount 20 --name shlimit --rsource -j DROP