Hi there,
I've got a few ingress NAT rules, port forwards, however I can't see how I can specify 'synproxy' as part of this?
The rules that are automatically created are not editable, to locate the Advanced setting - and potentially enable synproxy there - and it doesn't seem to be possible to set this on the parent NAT rule?
Cheers,
Could I perhaps create a Floating rule, but remove the 'Quick' option, and enable synproxy there?
Just incase I was going mad - and that by NAT-ing a synproxy is implied - I ran the below test:
1 SYN packet sent to the host
sudo hping3 -i u1 -S -p 443 a.a.a.a -N 1
HPING a.a.a.a (eth0 a.a.a.a): S set, 40 headers + 0 data bytes
Destination shows SYN_RECV
tcp 0 0 a.a.a.a:443 b.b.b.b:62294 SYN_RECV
So unless the internal host has SYN cookies enabled and/or tcp timestamps disabled, or a firewall running locally providing synproxy, it would seem it is possible to perform basic DoS attacks based on port forwards.
Although presumably breaks window scaling... "this is not the solution you're looking for"....