Hi. I experienced some errors regarding syn proxy. I observed network traffic and realized syn proxy doesn't set mss value correctly. Then I did some tests and here is details of my test. I set 3 different device. A client, firewall and server. Firewall is where syn proxy rules located. Before adding syn proxy rules, I observed mss and wscale values 10.0.0.215.60797 > 10.0.1.213.80: Flags [S], seq 3059817525, win 29200, options [mss 1460,sackOK,TS val 95678003 ecr 0,nop,wscale 7], length 0 10.0.1.213.80 > 10.0.0.215.60797: Flags [S.], seq 3020500548, ack 3059817526, win 14480, options [mss 1460,sackOK,TS val 12703989 ecr 95678003,nop,wscale 2], length 0 So client sets mss 1460 wscale 7, server sets mss 1460 and wscale 2 Then I added below rules and start tests iptables -t raw -A PREROUTING -i enp7s0f0 -p tcp -m tcp --syn -j CT --notrack iptables -A FORWARD -i enp7s0f0 -p tcp -m tcp -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 2 --mss 1460 iptables -A FORWARD -i enp7s0f0 -p tcp -m tcp -m state --state INVALID -j DROP With these values here is what I see on external and internal interface External interface: 10.0.0.215.60800 > 10.0.1.213.80: Flags [S], seq 1609742327, win 29200, options [mss 1460,sackOK,TS val 99453267 ecr 0,nop,wscale 7], length 0 10.0.1.213.80 > 10.0.0.215.60800: Flags [S.], seq 3294723050, ack 1609742328, win 0, options [mss 1460,sackOK,TS val 5761239 ecr 99453267,nop,wscale 2], length 0 Internal interface: 10.0.0.215.60800 > 10.0.1.213.80: Flags [S], seq 1609742327, win 229, options [mss 1460,sackOK,TS val 99453267 ecr 5761239,nop,wscale 7], length 0 10.0.1.213.80 > 10.0.0.215.60800: Flags [S.], seq 1301167703, ack 1609742328, win 14480, options [mss 1460,sackOK,TS val 16479252 ecr 99453267,nop,wscale 2], length 0 Until here there is nothing wrong. Now see what happen when I set client mss value to 1260 by changing mtu. External interface 10.0.0.215.60802 > 10.0.1.213.80: Flags [S], seq 36636545, win 25200, options [mss 1260,sackOK,TS val 99747035 ecr 0,nop,wscale 7], length 0 10.0.1.213.80 > 10.0.0.215.60802: Flags [S.], seq 2342465663, ack 36636546, win 0, options [mss 1260,sackOK,TS val 6054999 ecr 99747035,nop,wscale 2], length 0 Internal interface 10.0.0.215.60802 > 10.0.1.213.80: Flags [S], seq 36636545, win 197, options [mss 536,sackOK,TS val 99747035 ecr 6054999,nop,wscale 7], length 0 10.0.1.213.80 > 10.0.0.215.60802: Flags [S.], seq 3600660781, ack 36636546, win 14480, options [mss 1460,sackOK,TS val 16773019 ecr 99747035,nop,wscale 2], length 0 As you can see syn proxy respond to client with same mss value and open connection to back end with 536. But I suppose, It should send 1460 to client and 1260 to server. I tried both bridged and router topology with kernel versions 5.0.13 and 4.14.21 and got same results. iptables version is 1.4.21 Regards -- Ibrahim Ercan
