search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.36k stars 754 forks source link

Auto set "Firewall Adaptive Timeouts" to FreeBSD defaults of start 60% and end 120% at boot #4967

Closed nzkiwi68 closed 3 years ago

nzkiwi68 commented 3 years ago

Important notices

Is your feature request related to a problem? Please describe. No.

Describe the solution you like By default enable Firewall Adaptive Timeouts Firewall > Advanced > Miscellaneous > Firewall Adaptive Timeouts

and automatically set the start value at 60% and and end value of 120% of the current maximum state table size.

Why? FreeBSD by default sets the Firewall Adaptive Timeouts to scale with a start value of 60% and and end value of 120% of the maximum state table size. Ref: https://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=5&manpath=FreeBSD+12.1-RELEASE+and+Ports&format=html

It is a great anti DOS/DDOS defense mechanism and I find myself manually setting this for every OPNsense firewall installation.

I envisage a simple check box;

Disable auto firewall adaptive timeouts: Which is off (not selected) by default, and therefore auto adaptive firewall timeouts is enabled. The Firewall Adaptive Timeouts entries "start" and "end" would be displayed in light grey and would show the actual values as determined during boot-up based on the maximum number of states table size and not be able to be changed unless you switched ON "Disable auto firewall adaptive timeouts".

Disabling auto firewall adaptive timeouts; You simply select the check box "Disable auto firewall adaptive timeouts" Then you could set the "start" and "end" entries to blank or zero to disable the function entirely or calculate and use your own values.

Describe alternatives you considered Manually calculate and set for each firewall instance. Remember to review and change if you add more memory or change hardware as the maximum firewall state table size could change.

Additional context It's minor, I know. But! It will simply add a layer of self protection for every single OPNsense firewall deployed. The actual default for FreeBSD is this adaptive function is on and we'd be matching the normal FreeBSD default.

Here's my entries manually set for maximum state table size of 807000

Firewall Adaptive Timeouts

OPNsense-bot commented 3 years ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

MilesBHuff commented 12 months ago

Just wanted to bump this issue -- I think this would be nice to have.