firewall: Enable SYNPROXY for untracked packets

This enables some DoS protection using SYNPROXY which will complete a SYN handshake with the client before the connection is being forwarded. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-22 17:02:58 +02:00 · 2024-04-18 21:11:41 +00:00
parent be2774c0c6
commit 8711955b38
1 changed files with 16 additions and 0 deletions
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -46,6 +46,20 @@ IPS_BYPASS_MASK="0x40000000"

 IPSET_DB_DIR="/var/lib/location/ipset"

+SYNPROXY_OPTIONS=(
+	# Allow clients to use Selective ACKs
+	"--sack-perm"
+
+	# Allow TCP Timestamps
+	#"--timestamp"
+
+	# Window Scaling
+	"--wscale" "9"
+
+	# Maximum Segment Size
+	"--mss" "1460"
+)
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -151,6 +165,8 @@ iptables_init() {

 	iptables -N CTINPUT
 	iptables -A CTINPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+	iptables -A CTINPUT -m conntrack --ctstate INVALID,UNTRACKED \
+		-p tcp -j SYNPROXY "${SYNPROXY_OPTIONS[@]}"
 	iptables -A CTINPUT -m conntrack --ctstate INVALID -j CTINVALID
 	iptables -A CTINPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT