From b21ea0a23f4d59b7774f4f2ac3dfa4cee7d2597b Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Wed, 10 Apr 2024 15:02:25 -0400 Subject: [PATCH] raise synproxy bypass burst to 128 packets from 5 Our network servers are spiking over the default burst limit of 5 packets during regular usage. It's unclear high this should be but 5 packets is definitely too low. --- nftables-attestation.conf | 2 +- nftables-discuss.conf | 2 +- nftables-mail.conf | 2 +- nftables-matrix.conf | 2 +- nftables-network.conf | 2 +- nftables-ns1.conf | 2 +- nftables-ns2.conf | 2 +- nftables-social.conf | 2 +- nftables-web.conf | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 2de04a7..1063e7b 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -42,7 +42,7 @@ table inet filter { # drop packets to address not configured on incoming interface (strong host model) fib daddr . iif type != { local, broadcast, multicast } counter drop - tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 7af2391..227ca74 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -42,7 +42,7 @@ table inet filter { # drop packets to address not configured on incoming interface (strong host model) fib daddr . iif type != { local, broadcast, multicast } counter drop - tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-mail.conf b/nftables-mail.conf index 4e8ff8b..69cc7fa 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -42,7 +42,7 @@ table inet filter { # drop packets to address not configured on incoming interface (strong host model) fib daddr . iif type != { local, broadcast, multicast } counter drop - tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 128068b..a066d54 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -42,7 +42,7 @@ table inet filter { # drop packets to address not configured on incoming interface (strong host model) fib daddr . iif type != { local, broadcast, multicast } counter drop - tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-network.conf b/nftables-network.conf index e880325..d66147f 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -44,7 +44,7 @@ table inet filter { # drop packets to address not configured on incoming interface (strong host model) fib daddr . iif type != { local, broadcast, multicast } counter drop - tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443, 7275 } tcp flags syn counter notrack accept udp dport 123 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept diff --git a/nftables-ns1.conf b/nftables-ns1.conf index 3859a51..d143868 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -43,7 +43,7 @@ table inet filter { fib daddr . iif type != { local, broadcast, multicast } counter drop udp dport 53 notrack accept - tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 204b8c1..608bf28 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -48,7 +48,7 @@ table inet filter { tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset udp dport 53 notrack accept - tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 53, 80, 443, 853 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-social.conf b/nftables-social.conf index 5fe9fbf..2e50c70 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -42,7 +42,7 @@ table inet filter { # drop packets to address not configured on incoming interface (strong host model) fib daddr . iif type != { local, broadcast, multicast } counter drop - tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } diff --git a/nftables-web.conf b/nftables-web.conf index 288a1df..75c639c 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -46,7 +46,7 @@ table inet filter { # drop packets to address not configured on incoming interface (strong host model) fib daddr . iif type != { local, broadcast, multicast } counter drop - tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second accept + tcp dport { 22, 80, 443 } tcp flags syn limit rate 1024/second burst 128 packets accept tcp dport { 22, 80, 443 } tcp flags syn counter notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept }