next »

[mkhan]

Hi,

I'm new to FreeBSD and pfSense and am having problems getting syncookies working on pfSense 2.0.1-RELEASE. The pfSense firewall has two interfaces WAN and LAN. I have a webserver on the LAN that I can get to using NAT. I have net.inet.tcp.syncookies=1 set (I've also tried net.inet.tcp.syncookies_only=1 as well).

I'm using a Linux box to generate a syn flood using hping3 to the web server IP address on the WAN. I notice that pfSense is passing the traffic to the LAN and the state table is getting filled with SYNs, which shouldn't happen if syncookies are being used.

I'm wondering if someone has an idea as to why this may not be working? Thanks!

[dhatz]

Take a look at the synproxy feature:

http://www.openbsd.org/faq/pf/filter.html#synproxy

[mkhan]

I've tried SYNProxy as well but that doesn't really help. I have 1,000,000 max states configured however, under a syn attack using hping3 all 1,000,000 get filled pretty much instantly. That's the whole reason to have syn-cookies working so that your state table doesn't get full with bogus syn requests. Even if I set net.inet.tcp.msl=7500, the incoming rate of connections outpaces the rate at which they are being removed from the state table. I'm not sending ridiculous amounts of packets either. My simulated attack is about 20-30K pps.

[cmb]

SYN cookies has nothing to do with the state table, that only applies to traffic terminating on the firewall itself. You need other controls to prevent state table exhaustion (same as with any firewall), like the various advanced options on rules - limiting states per host, per rule, whatever methodology makes sense in your specific environment.