summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2023-09-21 21:15:49 +0200
committerGitHub <noreply@github.com>2023-09-21 21:15:49 +0200
commit0013b5700369081ba4638f551797c5c7d918e66e (patch)
treed850c29f63e940ad5fd505697d4abaf22b741bb3
parenta7f6b67f7e8c2d6aae9db17832ed26abbb29beee (diff)
parentf7cd4483aa8a9c6c24866d6faccd5ec070e98de5 (diff)
downloadvyos-documentation-0013b5700369081ba4638f551797c5c7d918e66e.tar.gz
vyos-documentation-0013b5700369081ba4638f551797c5c7d918e66e.zip
Merge pull request #1092 from sever-sever/synproxy
Add firewal synproxy
-rw-r--r--docs/configuration/firewall/general.rst49
1 files changed, 47 insertions, 2 deletions
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst
index 0e172a24..d2bc1435 100644
--- a/docs/configuration/firewall/general.rst
+++ b/docs/configuration/firewall/general.rst
@@ -351,10 +351,12 @@ The action can be :
* ``queue``: Enqueue packet to userspace.
+ * ``synproxy``: synproxy the packet.
+
.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action
- [accept | drop | jump | queue | reject | return]
+ [accept | drop | jump | queue | reject | return | synproxy]
.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> action
- [accept | drop | jump | queue | reject | return]
+ [accept | drop | jump | queue | reject | return | synproxy]
.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> action
[accept | drop | jump | queue | reject | return]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action
@@ -1264,6 +1266,49 @@ geoip) to keep database and rules updated.
Match when 'count' amount of connections are seen within 'time'. These
matching criteria can be used to block brute-force attempts.
+********
+Synproxy
+********
+Synproxy connections
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> action synproxy
+.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> protocol tcp
+.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535>
+
+ Set TCP-MSS (maximum segment size) for the connection
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14>
+
+ Set the window scale factor for TCP window scaling
+
+Example synproxy
+================
+Requirements to enable synproxy:
+
+ * Traffic must be symmetric
+ * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled
+ * Disable conntrack loose track option
+
+.. code-block:: none
+
+ set system sysctl parameter net.ipv4.tcp_timestamps value '1'
+
+ set system conntrack tcp loose disable
+ set system conntrack ignore ipv4 rule 10 destination port '8080'
+ set system conntrack ignore ipv4 rule 10 protocol 'tcp'
+ set system conntrack ignore ipv4 rule 10 tcp flags syn
+
+ set firewall global-options syn-cookies 'enable'
+ set firewall ipv4 input filter rule 10 action 'synproxy'
+ set firewall ipv4 input filter rule 10 destination port '8080'
+ set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
+ set firewall ipv4 input filter rule 10 protocol 'tcp'
+ set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
+ set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
+ set firewall ipv4 input filter rule 1000 action 'drop'
+ set firewall ipv4 input filter rule 1000 state invalid 'enable'
+
+
***********************
Operation-mode Firewall
***********************