Page MenuHomeVyOS Platform

Add firewall SYNPROXY
Closed, ResolvedPublicFEATURE REQUEST

Description

Add firewall synproxy.
It is helpful to protect against TCP SYN flood attacks and port-scanners

The SYNPROXY target allows you to intercept TCP connections and
establish them using syncookies before passing them on to the
server. This allows to avoid conntrack and server resource usage
during SYN-flood attacks.

Can be used for input or forward

table ip anon_synproxy_demo {

    chain PRE {
        type filter hook prerouting priority raw; policy accept;

        tcp dport 8888 tcp flags syn notrack
    }

    chain IN {
        type filter hook input priority filter; policy accept;

        tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm
        ct state invalid drop
    }
}

Proposed CLI

set service synproxy interface ethX <input|forward>
set service synproxy rule 10 destination port 8888
set service synproxy rule 10 tcp-mss 1460
set service synproxy rule 10 window-scale 7

It also requires the kernel CONFIG_NFT_SYNPROXY=m

vyos@r14# zcat /proc/config.gz | grep -i CONFIG_NFT_SYNPROXY
# CONFIG_NFT_SYNPROXY is not set
[edit]
vyos@r14#

Using synproxy requires disabling the conntrack loose tracking option
Also, because synproxy relies on syncookies and tcp timestamps, ensure these are enabled:

% echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
% echo 1 > /proc/sys/net/ipv4/tcp_syncookies
% echo 1 > /proc/sys/net/ipv4/tcp_timestamps

Recommendation increase the conntrack hash size.

% echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize
% /sbin/sysctl -w net/netfilter/nf_conntrack_max=2000000

https://wiki.nftables.org/wiki-nftables/index.php/Synproxy
https://git.netfilter.org/nftables/commit/?id=1188a69604c3df2a63daca9e735fdb535e8f6b63
https://github.com/torvalds/linux/blob/master/net/netfilter/nft_synproxy.c

Details

Version
1.4
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

Viacheslav changed Version from - to 1.4.

First tests unsecseful

echo 0 | sudo tee /proc/sys/net/netfilter/nf_conntrack_tcp_loose
echo 1 | sudo tee /proc/sys/net/ipv4/tcp_syncookies
echo 1 | sudo tee /proc/sys/net/ipv4/tcp_timestamps

Rules

vyos@r4# sudo nft list ruleset
table ip vyos_synproxy {
	chain PRE {
		type filter hook prerouting priority raw; policy accept;
		tcp dport 22 tcp flags syn counter packets 1 bytes 60 notrack
	}

	chain IN {
		type filter hook input priority filter; policy accept;
		tcp dport 22 ct state invalid,untracked counter packets 1 bytes 60 synproxy mss 1460 wscale 7 timestamp sack-perm comment "ipv4-INP-filter-10"
		ct state invalid counter packets 0 bytes 0 drop
	}
}

Packets checksum incorrect
192.0.2.5 - client
192.0.2.1 - server site with synproxy

vyos@r4# sudo tcpdump -ntvi eth1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP (tos 0x10, ttl 64, id 39524, offset 0, flags [DF], proto TCP (6), length 60)
    192.0.2.5.54932 > 192.0.2.1.22: Flags [S], cksum 0x8435 (incorrect -> 0x2add), seq 2220091737, win 64240, options [mss 1460,sackOK,TS val 2846797860 ecr 0,nop,wscale 7], length 0
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.0.2.1.22 > 192.0.2.5.54932: Flags [S.], cksum 0x8435 (incorrect -> 0xe5bf), seq 177791946, ack 2220091738, win 0, options [mss 1460,sackOK,TS val 4411735 ecr 2846797860,nop,wscale 7], length 0
IP (tos 0x10, ttl 64, id 39525, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.54932 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x1296), ack 1, win 502, options [nop,nop,TS val 2846797860 ecr 4411735], length 0
IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    192.0.2.1.22 > 192.0.2.5.54932: Flags [R], cksum 0x66cb (correct), seq 177791947, win 0, length 0

Update
But after some time (several minutes) starts work

vyos@r4:~$ sudo tcpdump -ntvi eth1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP (tos 0x0, ttl 64, id 54214, offset 0, flags [DF], proto TCP (6), length 60)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [S], cksum 0x8435 (incorrect -> 0xef73), seq 3840758878, win 64428, options [mss 2301,sackOK,TS val 1105491526 ecr 0,nop,wscale 7], length 0
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [S.], cksum 0x8435 (incorrect -> 0x75a4), seq 3524634997, ack 3840758879, win 0, options [mss 1460,sackOK,TS val 5373143 ecr 1105491526,nop,wscale 7], length 0
IP (tos 0x0, ttl 64, id 54215, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0xa278), ack 1, win 504, options [nop,nop,TS val 1105491526 ecr 5373143], length 0
IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [.], cksum 0x842d (incorrect -> 0xa273), ack 1, win 509, options [nop,nop,TS val 5373143 ecr 1105491526], length 0
IP (tos 0x0, ttl 64, id 54216, offset 0, flags [DF], proto TCP (6), length 93)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [P.], cksum 0x8456 (incorrect -> 0x1869), seq 1:42, ack 1, win 504, options [nop,nop,TS val 1105491526 ecr 5373143], length 41: SSH: SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u3
IP (tos 0x0, ttl 64, id 46787, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [.], cksum 0x842d (incorrect -> 0xa24a), ack 42, win 509, options [nop,nop,TS val 5373143 ecr 1105491526], length 0
IP (tos 0x0, ttl 64, id 46788, offset 0, flags [DF], proto TCP (6), length 75)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8444 (incorrect -> 0xad0a), seq 1:24, ack 42, win 509, options [nop,nop,TS val 5373151 ecr 1105491526], length 23: SSH: SSH-2.0-OpenSSH_9.2p1
IP (tos 0x0, ttl 64, id 54217, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0xa228), ack 24, win 504, options [nop,nop,TS val 1105491534 ecr 5373151], length 0
IP (tos 0x0, ttl 64, id 54218, offset 0, flags [DF], proto TCP (6), length 1444)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [P.], cksum 0x899d (incorrect -> 0x6288), seq 42:1434, ack 24, win 504, options [nop,nop,TS val 1105491535 ecr 5373151], length 1392
IP (tos 0x0, ttl 64, id 46789, offset 0, flags [DF], proto TCP (6), length 1132)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8865 (incorrect -> 0xe7f3), seq 24:1104, ack 1434, win 501, options [nop,nop,TS val 5373153 ecr 1105491535], length 1080
IP (tos 0x0, ttl 64, id 54219, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x9884), ack 1104, win 496, options [nop,nop,TS val 1105491536 ecr 5373153], length 0
IP (tos 0x0, ttl 64, id 54220, offset 0, flags [DF], proto TCP (6), length 100)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [P.], cksum 0x845d (incorrect -> 0xe50f), seq 1434:1482, ack 1104, win 496, options [nop,nop,TS val 1105491538 ecr 5373153], length 48
IP (tos 0x0, ttl 64, id 46790, offset 0, flags [DF], proto TCP (6), length 648)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8681 (incorrect -> 0x37fc), seq 1104:1700, ack 1482, win 501, options [nop,nop,TS val 5373158 ecr 1105491538], length 596
IP (tos 0x0, ttl 64, id 54221, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x95f7), ack 1700, win 495, options [nop,nop,TS val 1105491541 ecr 5373158], length 0
IP (tos 0x0, ttl 64, id 54222, offset 0, flags [DF], proto TCP (6), length 68)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [P.], cksum 0x843d (incorrect -> 0x8bbb), seq 1482:1498, ack 1700, win 495, options [nop,nop,TS val 1105491544 ecr 5373158], length 16
IP (tos 0x0, ttl 64, id 46791, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [.], cksum 0x842d (incorrect -> 0x95b2), ack 1498, win 501, options [nop,nop,TS val 5373202 ecr 1105491544], length 0
IP (tos 0x0, ttl 64, id 54223, offset 0, flags [DF], proto TCP (6), length 96)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [P.], cksum 0x8459 (incorrect -> 0x0cd5), seq 1498:1542, ack 1700, win 495, options [nop,nop,TS val 1105491585 ecr 5373202], length 44
IP (tos 0x0, ttl 64, id 46792, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [.], cksum 0x842d (incorrect -> 0x955d), ack 1542, win 501, options [nop,nop,TS val 5373202 ecr 1105491585], length 0
IP (tos 0x0, ttl 64, id 46793, offset 0, flags [DF], proto TCP (6), length 96)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8459 (incorrect -> 0xaa8f), seq 1700:1744, ack 1542, win 501, options [nop,nop,TS val 5373202 ecr 1105491585], length 44
IP (tos 0x0, ttl 64, id 54224, offset 0, flags [DF], proto TCP (6), length 112)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [P.], cksum 0x8469 (incorrect -> 0xb00a), seq 1542:1602, ack 1744, win 495, options [nop,nop,TS val 1105491585 ecr 5373202], length 60
IP (tos 0x0, ttl 64, id 46794, offset 0, flags [DF], proto TCP (6), length 104)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8461 (incorrect -> 0x4728), seq 1744:1796, ack 1602, win 501, options [nop,nop,TS val 5373211 ecr 1105491585], length 52
IP (tos 0x0, ttl 64, id 54225, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x948c), ack 1796, win 495, options [nop,nop,TS val 1105491635 ecr 5373211], length 0
IP (tos 0x0, ttl 64, id 54226, offset 0, flags [DF], proto TCP (6), length 200)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [P.], cksum 0x84c1 (incorrect -> 0x8d16), seq 1602:1750, ack 1796, win 495, options [nop,nop,TS val 1105493130 ecr 5373211], length 148
IP (tos 0x0, ttl 64, id 46795, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [.], cksum 0x842d (incorrect -> 0x87f2), ack 1750, win 501, options [nop,nop,TS val 5374788 ecr 1105493130], length 0
IP (tos 0x0, ttl 64, id 46796, offset 0, flags [DF], proto TCP (6), length 80)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8449 (incorrect -> 0x1fe3), seq 1796:1824, ack 1750, win 501, options [nop,nop,TS val 5375322 ecr 1105493130], length 28
IP (tos 0x0, ttl 64, id 54227, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x8387), ack 1824, win 495, options [nop,nop,TS val 1105493705 ecr 5375322], length 0
IP (tos 0x0, ttl 64, id 54228, offset 0, flags [DF], proto TCP (6), length 164)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [P.], cksum 0x849d (incorrect -> 0xb8d6), seq 1750:1862, ack 1824, win 495, options [nop,nop,TS val 1105493705 ecr 5375322], length 112
IP (tos 0x0, ttl 64, id 46797, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [.], cksum 0x842d (incorrect -> 0x8311), ack 1862, win 501, options [nop,nop,TS val 5375322 ecr 1105493705], length 0
IP (tos 0x0, ttl 64, id 46798, offset 0, flags [DF], proto TCP (6), length 1120)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8859 (incorrect -> 0xe214), seq 1824:2892, ack 1862, win 501, options [nop,nop,TS val 5375452 ecr 1105493705], length 1068
IP (tos 0x0, ttl 64, id 54229, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x7de8), ack 2892, win 495, options [nop,nop,TS val 1105493834 ecr 5375452], length 0
IP (tos 0x0, ttl 64, id 46799, offset 0, flags [DF], proto TCP (6), length 96)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8459 (incorrect -> 0x4fc8), seq 2892:2936, ack 1862, win 501, options [nop,nop,TS val 5375452 ecr 1105493834], length 44
IP (tos 0x0, ttl 64, id 54230, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x7dbb), ack 2936, win 495, options [nop,nop,TS val 1105493835 ecr 5375452], length 0
IP (tos 0x10, ttl 64, id 54231, offset 0, flags [DF], proto TCP (6), length 512)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [P.], cksum 0x85f9 (incorrect -> 0xf414), seq 1862:2322, ack 2936, win 495, options [nop,nop,TS val 1105493835 ecr 5375452], length 460
IP (tos 0x0, ttl 64, id 46800, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [.], cksum 0x842d (incorrect -> 0x7be9), ack 2322, win 501, options [nop,nop,TS val 5375452 ecr 1105493835], length 0
IP (tos 0x10, ttl 64, id 46801, offset 0, flags [DF], proto TCP (6), length 160)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8499 (incorrect -> 0x0c7c), seq 2936:3044, ack 2322, win 501, options [nop,nop,TS val 5375453 ecr 1105493835], length 108
IP (tos 0x10, ttl 64, id 54232, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x7b82), ack 3044, win 495, options [nop,nop,TS val 1105493835 ecr 5375453], length 0
IP (tos 0x10, ttl 64, id 46802, offset 0, flags [DF], proto TCP (6), length 496)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x85e9 (incorrect -> 0xe375), seq 3044:3488, ack 2322, win 501, options [nop,nop,TS val 5375453 ecr 1105493835], length 444
IP (tos 0x10, ttl 64, id 54233, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x79c5), ack 3488, win 495, options [nop,nop,TS val 1105493836 ecr 5375453], length 0
IP (tos 0x10, ttl 64, id 46803, offset 0, flags [DF], proto TCP (6), length 96)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8459 (incorrect -> 0x2040), seq 3488:3532, ack 2322, win 501, options [nop,nop,TS val 5375470 ecr 1105493836], length 44
IP (tos 0x10, ttl 64, id 54234, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x7977), ack 3532, win 495, options [nop,nop,TS val 1105493853 ecr 5375470], length 0
IP (tos 0x10, ttl 64, id 46804, offset 0, flags [DF], proto TCP (6), length 96)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8459 (incorrect -> 0xb298), seq 3532:3576, ack 2322, win 501, options [nop,nop,TS val 5375470 ecr 1105493853], length 44
IP (tos 0x10, ttl 64, id 54235, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x794b), ack 3576, win 495, options [nop,nop,TS val 1105493853 ecr 5375470], length 0
IP (tos 0x10, ttl 64, id 46805, offset 0, flags [DF], proto TCP (6), length 96)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8459 (incorrect -> 0x355b), seq 3576:3620, ack 2322, win 501, options [nop,nop,TS val 5375471 ecr 1105493853], length 44
IP (tos 0x10, ttl 64, id 54236, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x791d), ack 3620, win 495, options [nop,nop,TS val 1105493854 ecr 5375471], length 0
IP (tos 0x10, ttl 64, id 46806, offset 0, flags [DF], proto TCP (6), length 112)
    192.0.2.1.22 > 192.0.2.5.58370: Flags [P.], cksum 0x8469 (incorrect -> 0xd1d2), seq 3620:3680, ack 2322, win 501, options [nop,nop,TS val 5375530 ecr 1105493854], length 60
IP (tos 0x10, ttl 64, id 54237, offset 0, flags [DF], proto TCP (6), length 52)
    192.0.2.5.58370 > 192.0.2.1.22: Flags [.], cksum 0x842d (incorrect -> 0x786c), ack 3680, win 495, options [nop,nop,TS val 1105493912 ecr 5375530], length 0
^C

PR https://github.com/vyos/vyos-1x/pull/2295

set system sysctl parameter net.ipv4.tcp_syncookies value '1'
set system sysctl parameter net.ipv4.tcp_timestamps value '1'

set system conntrack tcp loose 'disable'
set system conntrack ignore ipv4 rule 10 destination port '22'
set system conntrack ignore ipv4 rule 10 protocol 'tcp'
set system conntrack ignore ipv4 rule 10 tcp flags syn

set firewall global-options syn-cookies 'enable'
set firewall ipv4 input filter rule 10 action 'synproxy'
set firewall ipv4 input filter rule 10 destination port '22'
set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
set firewall ipv4 input filter rule 100 action 'drop'
set firewall ipv4 input filter rule 100 state invalid 'enable'
Viacheslav changed the task status from Open to Needs testing.Oct 4 2023, 8:55 AM
Viacheslav claimed this task.
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.