Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Any way of "TCP intercept" on pfsense?

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 800 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      D-Kun
      last edited by

      Hi,

      does anyone know if it's somehow possible to implement a cisco like "TCP intercept" (http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfdenl.html) with our beloved pfsense?
      For cases of distibuted syn floods onto a webserver?

      Greetz

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by

        Under a matching firewall rule, go to "State Type" then set to "synproxy state". It does have the same limitation that Cisco has in that link you added.

        TCP options that are negotiated on handshake (such as RFC 1323 on window scaling) will not be negotiated because the TCP intercept software does not know what the server can do or will negotiate.

        This does mean the max TCP window size will be 64KiB, which is about 5Mb/s with a 100ms RTT.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.