vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1092 from sever-sever/synproxy

Browse Source 
Add firewal synproxy
This commit is contained in:
Robert Göhler 2023-09-21 21:15:49 +02:00 committed by GitHub
commit 0013b57003
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 47 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
docs/configuration/firewall/general.rst
View File

@ -351,10 +351,12 @@ The action can be :
* ``queue``: Enqueue packet to userspace. * ``queue``: Enqueue packet to userspace.
* ``synproxy``: synproxy the packet.
.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action .. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action
[accept | drop | jump | queue | reject | return] [accept | drop | jump | queue | reject | return | synproxy]
.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> action .. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> action
[accept | drop | jump | queue | reject | return] [accept | drop | jump | queue | reject | return | synproxy]
.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> action .. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> action
[accept | drop | jump | queue | reject | return] [accept | drop | jump | queue | reject | return]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action
@ -1264,6 +1266,49 @@ geoip) to keep database and rules updated.
Match when 'count' amount of connections are seen within 'time'. These Match when 'count' amount of connections are seen within 'time'. These
matching criteria can be used to block brute-force attempts. matching criteria can be used to block brute-force attempts.
********
Synproxy
********
Synproxy connections
.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> action synproxy
.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> protocol tcp
.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535>
Set TCP-MSS (maximum segment size) for the connection
.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14>
Set the window scale factor for TCP window scaling
Example synproxy
================
Requirements to enable synproxy:
* Traffic must be symmetric
* Synproxy relies on syncookies and TCP timestamps, ensure these are enabled
* Disable conntrack loose track option
.. code-block:: none
set system sysctl parameter net.ipv4.tcp_timestamps value '1'
set system conntrack tcp loose disable
set system conntrack ignore ipv4 rule 10 destination port '8080'
set system conntrack ignore ipv4 rule 10 protocol 'tcp'
set system conntrack ignore ipv4 rule 10 tcp flags syn
set firewall global-options syn-cookies 'enable'
set firewall ipv4 input filter rule 10 action 'synproxy'
set firewall ipv4 input filter rule 10 destination port '8080'
set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
set firewall ipv4 input filter rule 1000 action 'drop'
set firewall ipv4 input filter rule 1000 state invalid 'enable'
*********************** ***********************
Operation-mode Firewall Operation-mode Firewall
*********************** ***********************