I've been using the PF module for NATing/firewalling purposes (8 cores, 16 GB RAM hardware), it seems to be doing good under normal traffic. But during TCP SYN floods it suffers a lot. I want the SYNPROXY feature to get enabled dynamically as the traffic increases for that particular rule (based on some threshold), this would save the servers behind it. Is it possible?
And also why do the PF states get bloated up when SYNPROXY is enabled? It stores some information like "PROXY:SRC", which apparently looks to be trivial, can this be avoided?
Can we implement something similar to SYN cookies for the PF module which can offer some sort of respite for it? And thereby adding a PF state entry only upon establishing a legitimate connection.
I would be happy to implement this myself. But can someone help with where to start? How to interpret the FreeBSD kernel code?
Any suggestions?
And also why do the PF states get bloated up when SYNPROXY is enabled? It stores some information like "PROXY:SRC", which apparently looks to be trivial, can this be avoided?
Can we implement something similar to SYN cookies for the PF module which can offer some sort of respite for it? And thereby adding a PF state entry only upon establishing a legitimate connection.
I would be happy to implement this myself. But can someone help with where to start? How to interpret the FreeBSD kernel code?
Any suggestions?