On 02/25/2016 12:23 AM, kAja Ziegler wrote: > Hi Tom and all users, > > Any news about the SYN proxy (SYNPROXY) support in Shorewall? > > Thank you and best regards,
While there is currently no explicit support for SYNPROXY, the conntrack and rules files support the features required to allow you create the SYNPROXY rules yourself. What follows below assumes Shorewall 5.0. Referring to http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/#more-273: 1. Rule iptables -t raw -I PREROUTING -i $DEV -p tcp -m tcp –syn –dport $PORT -j CT –notrack is implemented in the conntrack file as: CT:notrack:P $DEV - tcp $PORT ;; -m tcp -syn 2. Rule iptables -A INPUT -i $DEV -p tcp -m tcp –dport $PORT -m state –state INVALID,UNTRACKED -j SYNPROXY –sack-perm –timestamp –wscale 7 –mss 1460 is implemented in the rules file as: IPTABLES(SYNPROXY -sack-perm -timestamp -wscale 7 -mss 1460)\ net $FW tcp $PORT It needs to be placed in both the INVALID and UNTRACKED sections of the file and you need to define SYNPROXY as a builtin action in /etc/shorewall/actions. 3. Rule iptables -A INPUT -m state –state INVALID -j DROP Can be implemented as a simple DROP rule in the INVALID section: DROP net $FW tcp The sysctl stuff can, of course, be placed in /etc/sysctl.conf. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
