Not as nice as in *BSD's pf but a bit easier in nftables than in iptables.
Can be activated in prerouting:
https://wiki.nftables.org/wiki-nftables/index.php/Synproxy
tcp syncookies & timestamps have been enabled by default for years,
you can check it:
cat /proc/sys/net/ipv4/tcp_syncookies
cat /proc/sys/net/ipv4/tcp_tcp_timestamps
In general, you should be careful with sysctl kernel parameters. If you do
change them, only change individual settings and read and understand what they
mean. If so, it is always good to look specifically for your network driver and
DoS. With a 1G network connection, there is little to improve. In the
cloudflare blog you will find a lot of in-depth expert knowledge about DoS.
···
On Donnerstag, 11. Juli 2024 09:38:34 CEST Scott Bennett via tor-relays wrote:
My understanding is that LINUX systems do not have pf, but rather have
a less flexible filter called iptables. Whether iptables or any other
packet filter that may be available on LINUX systems has synproxy or a
similar feature I do not know
--
╰_╯ Ciao Marco!
Debian GNU/Linux
It's free software and it gives you freedom!