Re: [Shorewall-users] Support for SYN proxy (SYNPROXY)

Thu, 25 Feb 2016 12:54:06 -0800 

Thank you Tom.

On Thursday, February 25, 2016, Tom Eastep <teas...@shorewall.net> wrote:

> On 02/25/2016 12:23 AM, kAja Ziegler wrote:
> > Hi Tom and all users,
> >
> >   Any news about the SYN proxy (SYNPROXY) support in Shorewall?
> >
> > Thank you and best regards,
>
> While there is currently no explicit support for SYNPROXY, the conntrack
> and rules files support the features required to allow you create the
> SYNPROXY rules yourself.
>
> What follows below assumes Shorewall 5.0.
>
> Referring to
>
> http://rhelblog.redhat.com/2014/04/11/mitigate-tcp-syn-flood-attacks-with-red-hat-enterprise-linux-7-beta/#more-273
> :
>
> 1. Rule
>
>  iptables -t raw -I PREROUTING -i $DEV -p tcp -m tcp –syn –dport $PORT
> -j CT –notrack
>
> is implemented in the conntrack file as:
>
> CT:notrack:P    $DEV    -       tcp     $PORT ;; -m tcp -syn
>
> 2. Rule
>
>  iptables -A INPUT -i $DEV -p tcp -m tcp –dport $PORT -m state –state
> INVALID,UNTRACKED -j SYNPROXY –sack-perm –timestamp –wscale 7 –mss 1460
>
> is implemented in the rules file as:
>
> IPTABLES(SYNPROXY -sack-perm -timestamp -wscale 7 -mss 1460)\
>                 net     $FW     tcp     $PORT
>
> It needs to be placed in both the INVALID and UNTRACKED sections of the
> file and you need to define SYNPROXY as a builtin action in
> /etc/shorewall/actions.
>
> 3. Rule
>
> iptables -A INPUT -m state –state INVALID -j DROP
>
> Can be implemented as a simple DROP rule in the INVALID section:
>
> DROP    net     $FW     tcp
>
> The sysctl stuff can, of course, be placed in /etc/sysctl.conf.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>

-- 
-- 
Karel Ziegler

 e-mail:    ziegl...@gmail.com
 mobil:     +420 732 849 853

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to