raise synproxy bypass burst to 128 packets from 5

Our network servers are spiking over the default burst limit of 5 packets during regular usage. It's unclear high this should be but 5 packets is definitely too low.
2024-04-10 15:02:25 -04:00 · 2024-04-10 15:02:25 -04:00 · b21ea0a23f
parent b38736ca74
commit b21ea0a23f
9 changed files with 9 additions and 9 deletions
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@ -42,7 +42,7 @@ table inet filter {
        # drop packets to address not configured on incoming interface (strong host model)
        fib daddr . iif type != { local, broadcast, multicast } counter drop

-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@ -42,7 +42,7 @@ table inet filter {
        # drop packets to address not configured on incoming interface (strong host model)
        fib daddr . iif type != { local, broadcast, multicast } counter drop

-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@ -42,7 +42,7 @@ table inet filter {
        # drop packets to address not configured on incoming interface (strong host model)
        fib daddr . iif type != { local, broadcast, multicast } counter drop

-        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@ -42,7 +42,7 @@ table inet filter {
        # drop packets to address not configured on incoming interface (strong host model)
        fib daddr . iif type != { local, broadcast, multicast } counter drop

-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-network.conf
+++ b/nftables-network.conf
@ -44,7 +44,7 @@ table inet filter {
        # drop packets to address not configured on incoming interface (strong host model)
        fib daddr . iif type != { local, broadcast, multicast } counter drop

-        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept
        udp dport 123 notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@ -43,7 +43,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        udp dport 53 notrack accept
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@ -48,7 +48,7 @@ table inet filter {
        tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset

        udp dport 53 notrack accept
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-social.conf
+++ b/nftables-social.conf
@ -42,7 +42,7 @@ table inet filter {
        # drop packets to address not configured on incoming interface (strong host model)
        fib daddr . iif type != { local, broadcast, multicast } counter drop

-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
--- a/nftables-web.conf
+++ b/nftables-web.conf
@ -46,7 +46,7 @@ table inet filter {
        # drop packets to address not configured on incoming interface (strong host model)
        fib daddr . iif type != { local, broadcast, multicast } counter drop

-        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept
        tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }