OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: iMx on July 06, 2019, 05:28:23 pm

Title: synproxy with NAT inbound, no advanced option?
Post by: iMx on July 06, 2019, 05:28:23 pm

Hi there,

I've got a few ingress NAT rules, port forwards, however I can't see how I can specify 'synproxy' as part of this? 

The rules that are automatically created are not editable, to locate the Advanced setting - and potentially enable synproxy there - and it doesn't seem to be possible to set this on the parent NAT rule?

Cheers,

Title: Re: synproxy with NAT inbound, no advanced option?
Post by: iMx on July 06, 2019, 07:54:21 pm

Could I perhaps create a Floating rule, but remove the 'Quick' option, and enable synproxy there?

Title: Re: synproxy with NAT inbound, no advanced option?
Post by: iMx on July 07, 2019, 12:08:56 pm

Just incase I was going mad - and that by NAT-ing a synproxy is implied - I ran the below test:

1 SYN packet sent to the host

Code: [Select]

sudo hping3 -i u1 -S -p 443 a.a.a.a -N 1
HPING a.a.a.a (eth0 a.a.a.a): S set, 40 headers + 0 data bytes
Destination shows SYN_RECV

Code: [Select]

tcp        0      0 a.a.a.a:443           b.b.b.b:62294     SYN_RECV
So unless the internal host has SYN cookies enabled and/or tcp timestamps disabled, or a firewall running locally providing synproxy, it would seem it is possible to perform basic DoS attacks based on port forwards.

Title: Re: synproxy with NAT inbound, no advanced option?
Post by: iMx on July 07, 2019, 01:33:31 pm

Although presumably breaks window scaling... "this is not the solution you're looking for"....