Add firewall synproxy.
It is helpful to protect against TCP SYN flood attacks and port-scanners
The SYNPROXY target allows you to intercept TCP connections and
establish them using syncookies before passing them on to the
server. This allows to avoid conntrack and server resource usage
during SYN-flood attacks.
Can be used for input or forward
table ip anon_synproxy_demo { chain PRE { type filter hook prerouting priority raw; policy accept; tcp dport 8888 tcp flags syn notrack } chain IN { type filter hook input priority filter; policy accept; tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm ct state invalid drop } }
Proposed CLI
set service synproxy interface ethX <input|forward> set service synproxy rule 10 destination port 8888 set service synproxy rule 10 tcp-mss 1460 set service synproxy rule 10 window-scale 7
It also requires the kernel CONFIG_NFT_SYNPROXY=m
vyos@r14# zcat /proc/config.gz | grep -i CONFIG_NFT_SYNPROXY # CONFIG_NFT_SYNPROXY is not set [edit] vyos@r14#
Using synproxy requires disabling the conntrack loose tracking option
Also, because synproxy relies on syncookies and tcp timestamps, ensure these are enabled:
% echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose % echo 1 > /proc/sys/net/ipv4/tcp_syncookies % echo 1 > /proc/sys/net/ipv4/tcp_timestamps
Recommendation increase the conntrack hash size.
% echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize % /sbin/sysctl -w net/netfilter/nf_conntrack_max=2000000
https://wiki.nftables.org/wiki-nftables/index.php/Synproxy
https://git.netfilter.org/nftables/commit/?id=1188a69604c3df2a63daca9e735fdb535e8f6b63
https://github.com/torvalds/linux/blob/master/net/netfilter/nft_synproxy.c