pfSense Support Subscription

Author Topic: syncookies not working in 2.0.1-RELEASE  (Read 1095 times)

0 Members and 1 Guest are viewing this topic.

Offline mkhan

  • Newbie
  • *
  • Posts: 2
    • View Profile
syncookies not working in 2.0.1-RELEASE
« on: February 15, 2012, 06:31:54 pm »
Hi,

I'm new to FreeBSD and pfSense and am having problems getting syncookies working on pfSense 2.0.1-RELEASE. The pfSense firewall has two interfaces WAN and LAN. I have a webserver on the LAN that I can get to using NAT. I have net.inet.tcp.syncookies=1 set (I've also tried net.inet.tcp.syncookies_only=1 as well).

I'm using a Linux box to generate a syn flood using hping3 to the web server IP address on the WAN. I notice that pfSense is passing the traffic to the LAN and the state table is getting filled with SYNs, which shouldn't happen if syncookies are being used.

I'm wondering if someone has an idea as to why this may not be working? Thanks!

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
    • View Profile
Re: syncookies not working in 2.0.1-RELEASE
« Reply #1 on: February 15, 2012, 07:05:28 pm »
Take a look at the synproxy feature:

http://www.openbsd.org/faq/pf/filter.html#synproxy

Offline mkhan

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: syncookies not working in 2.0.1-RELEASE
« Reply #2 on: February 15, 2012, 07:17:59 pm »
I've tried SYNProxy as well but that doesn't really help. I have 1,000,000 max states configured however, under a syn attack using hping3 all 1,000,000 get filled pretty much instantly. That's the whole reason to have syn-cookies working so that your state table doesn't get full with bogus syn requests. Even if I set net.inet.tcp.msl=7500, the incoming rate of connections outpaces the rate at which they are being removed from the state table. I'm not sending ridiculous amounts of packets either. My simulated attack is about 20-30K pps.

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6287
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: syncookies not working in 2.0.1-RELEASE
« Reply #3 on: February 18, 2012, 12:57:07 am »
SYN cookies has nothing to do with the state table, that only applies to traffic terminating on the firewall itself. You need other controls to prevent state table exhaustion (same as with any firewall), like the various advanced options on rules - limiting states per host, per rule, whatever methodology makes sense in your specific environment.