firewall: Enable SYNPROXY for untracked packets

author Michael Tremer <michael.tremer@ipfire.org>

Thu, 18 Apr 2024 21:11:41 +0000 (21:11 +0000)

committer Michael Tremer <michael.tremer@ipfire.org>

Tue, 2 Jul 2024 09:30:28 +0000 (09:30 +0000)
author Michael Tremer <michael.tremer@ipfire.org>
Thu, 18 Apr 2024 21:11:41 +0000 (21:11 +0000)
committer Michael Tremer <michael.tremer@ipfire.org>
Tue, 2 Jul 2024 09:30:28 +0000 (09:30 +0000)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall

index 054d58c01db150810b74c5f8a53db0a2d4338ec4..1250b9ff4d25c7a6ae01d19b986a6b60c3886340 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -46,6 +46,20 @@ IPS_BYPASS_MASK="0x40000000"
  
  IPSET_DB_DIR="/var/lib/location/ipset"
  
+SYNPROXY_OPTIONS=(
+       # Allow clients to use Selective ACKs
+       "--sack-perm"
+
+       # Allow TCP Timestamps
+       #"--timestamp"
+
+       # Window Scaling
+       "--wscale" "9"
+
+       # Maximum Segment Size
+       "--mss" "1460"
+)
+
  function iptables() {
         /sbin/iptables --wait "$@"
  }
@@ -151,6 +165,8 @@ iptables_init() {
  
         iptables -N CTINPUT
         iptables -A CTINPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+       iptables -A CTINPUT -m conntrack --ctstate INVALID,UNTRACKED \
+               -p tcp -j SYNPROXY "${SYNPROXY_OPTIONS[@]}"
         iptables -A CTINPUT -m conntrack --ctstate INVALID -j CTINVALID
         iptables -A CTINPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
author	Michael Tremer <michael.tremer@ipfire.org>
	Thu, 18 Apr 2024 21:11:41 +0000 (21:11 +0000)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Tue, 2 Jul 2024 09:30:28 +0000 (09:30 +0000)