From f7cd4483aa8a9c6c24866d6faccd5ec070e98de5 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Thu, 21 Sep 2023 15:22:34 +0300 Subject: Add firewal synproxy --- docs/configuration/firewall/general.rst | 49 +++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst index 0e172a24..d2bc1435 100644 --- a/docs/configuration/firewall/general.rst +++ b/docs/configuration/firewall/general.rst @@ -351,10 +351,12 @@ The action can be : * ``queue``: Enqueue packet to userspace. + * ``synproxy``: synproxy the packet. + .. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action - [accept | drop | jump | queue | reject | return] + [accept | drop | jump | queue | reject | return | synproxy] .. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> action - [accept | drop | jump | queue | reject | return] + [accept | drop | jump | queue | reject | return | synproxy] .. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> action [accept | drop | jump | queue | reject | return] .. cfgcmd:: set firewall ipv4 name rule <1-999999> action @@ -1264,6 +1266,49 @@ geoip) to keep database and rules updated. Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts. +******** +Synproxy +******** +Synproxy connections + +.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> action synproxy +.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> protocol tcp +.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> + + Set TCP-MSS (maximum segment size) for the connection + +.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> + + Set the window scale factor for TCP window scaling + +Example synproxy +================ +Requirements to enable synproxy: + + * Traffic must be symmetric + * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled + * Disable conntrack loose track option + +.. code-block:: none + + set system sysctl parameter net.ipv4.tcp_timestamps value '1' + + set system conntrack tcp loose disable + set system conntrack ignore ipv4 rule 10 destination port '8080' + set system conntrack ignore ipv4 rule 10 protocol 'tcp' + set system conntrack ignore ipv4 rule 10 tcp flags syn + + set firewall global-options syn-cookies 'enable' + set firewall ipv4 input filter rule 10 action 'synproxy' + set firewall ipv4 input filter rule 10 destination port '8080' + set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv4 input filter rule 10 protocol 'tcp' + set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' + set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' + set firewall ipv4 input filter rule 1000 action 'drop' + set firewall ipv4 input filter rule 1000 state invalid 'enable' + + *********************** Operation-mode Firewall *********************** -- cgit v1.2.3