OPNsense Forum
Archive => 23.1 Legacy Series => Topic started by: sja1440 on May 28, 2023, 02:46:27 pm
-
When running OPNsense 23.1.8-amd64 with Firewall->Settings->Advanced->Enable syncookies = 'always' I have noticed that the reconstructed SYN sent by Opnsense to the remote destination always uses exactly the same tcp Sequence Number of 64240. I have verified this occurs with several well known destinations. I note that 64240 is the default tcp window size on my systems.
I believe that using exactly the same static sequence number in tcp SYN, is a security issue.
Here is an example of a Wireshark decoded initial SYN on my external WAN interface (syncookies enabled)
Internet Protocol Version 4, Src: <MY PUBLIC IP ADDRESS>, Dst: 157.240.252.60
Transmission Control Protocol, Src Port: 37615, Dst Port: 443, Seq: 0, Len: 0
Source Port: 37615
Destination Port: 443
[Stream index: 0]
[Conversation completeness: Incomplete, SYN_SENT (1)]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 64240
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
0101 .... = Header Length: 20 bytes (5)
Flags: 0x002 (SYN)
Window: 0
[Calculated window size: 0]
Checksum: 0x8392 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[Time since first frame in this TCP stream: 0.000000000 seconds]
[Time since previous frame in this TCP stream: 0.000000000 seconds]
I would guess that this is a known issue but I am unable to find a reference to it.
-
On reflection, with Opnsense acting as a firewall, I do not think that it makes sense for Opnsense to apply syncookies to forwarded connections. It certainly seems odd.
When I enabled syncookies, I was thinking that it would be applied only to services running on the firewall itself - it never occurred to me that it might also apply it forwarded connections.