Any way of "TCP intercept" on pfsense?
-
Hi,
does anyone know if it's somehow possible to implement a cisco like "TCP intercept" (http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfdenl.html) with our beloved pfsense?
For cases of distibuted syn floods onto a webserver?Greetz
-
Under a matching firewall rule, go to "State Type" then set to "synproxy state". It does have the same limitation that Cisco has in that link you added.
TCP options that are negotiated on handshake (such as RFC 1323 on window scaling) will not be negotiated because the TCP intercept software does not know what the server can do or will negotiate.
This does mean the max TCP window size will be 64KiB, which is about 5Mb/s with a 100ms RTT.