synproxy with NAT inbound, no advanced option?

[iMx]

Hi there,

I've got a few ingress NAT rules, port forwards, however I can't see how I can specify 'synproxy' as part of this? 

The rules that are automatically created are not editable, to locate the Advanced setting - and potentially enable synproxy there - and it doesn't seem to be possible to set this on the parent NAT rule?

Cheers,

[iMx]

Could I perhaps create a Floating rule, but remove the 'Quick' option, and enable synproxy there?

[iMx]

Just incase I was going mad - and that by NAT-ing a synproxy is implied - I ran the below test:

1 SYN packet sent to the host

Code Select Expand


sudo hping3 -i u1 -S -p 443 a.a.a.a -N 1
HPING a.a.a.a (eth0 a.a.a.a): S set, 40 headers + 0 data bytes

Destination shows SYN_RECV

Code Select Expand

tcp        0      0 a.a.a.a:443           b.b.b.b:62294     SYN_RECV

So unless the internal host has SYN cookies enabled and/or tcp timestamps disabled, or a firewall running locally providing synproxy, it would seem it is possible to perform basic DoS attacks based on port forwards.

[iMx]

Although presumably breaks window scaling... "this is not the solution you're looking for"....