OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: iMx on July 06, 2019, 05:28:23 pm
-
Hi there,
I've got a few ingress NAT rules, port forwards, however I can't see how I can specify 'synproxy' as part of this?
The rules that are automatically created are not editable, to locate the Advanced setting - and potentially enable synproxy there - and it doesn't seem to be possible to set this on the parent NAT rule?
Cheers,
-
Could I perhaps create a Floating rule, but remove the 'Quick' option, and enable synproxy there?
-
Just incase I was going mad - and that by NAT-ing a synproxy is implied - I ran the below test:
1 SYN packet sent to the host
sudo hping3 -i u1 -S -p 443 a.a.a.a -N 1
HPING a.a.a.a (eth0 a.a.a.a): S set, 40 headers + 0 data bytes
Destination shows SYN_RECV
tcp 0 0 a.a.a.a:443 b.b.b.b:62294 SYN_RECV
So unless the internal host has SYN cookies enabled and/or tcp timestamps disabled, or a firewall running locally providing synproxy, it would seem it is possible to perform basic DoS attacks based on port forwards.
-
Although presumably breaks window scaling... "this is not the solution you're looking for"....