diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-02-08 20:13:21 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-02-08 20:13:21 +0000 |
| commit | 615fa40fdb9c9961935e2cefd2bd118c7225347b (patch) | |
| tree | 2fb3cd51ac24eb8f16755de83ae21fd59d9172f8 | |
| parent | 18a76cba38a02030b3e3550931ecf3ffc7b27e97 (diff) | |
Add scrub option 'random-id', which replaces IP IDs with random values
for outgoing packets that are not fragmented (after reassembly), to
compensate for predictable IDs generated by some hosts, and defeat
fingerprinting and NAT detection as described in the Bellovin paper
http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
| -rw-r--r-- | sbin/pfctl/parse.y | 15 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl_parser.c | 4 | ||||
| -rw-r--r-- | share/man/man5/pf.conf.5 | 7 | ||||
| -rw-r--r-- | sys/net/pf_norm.c | 5 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 3 |
5 files changed, 28 insertions, 6 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index b37742ce037..f9845ff2a75 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.308 2003/02/05 16:05:54 cedric Exp $ */ +/* $OpenBSD: parse.y,v 1.309 2003/02/08 20:13:20 dhartmei Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -194,6 +194,7 @@ struct scrub_opts { int minttl; int maxmss; int fragcache; + int randomid; } scrub_opts; struct queue_opts { @@ -354,7 +355,7 @@ typedef struct { %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL %token NOROUTE FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE %token FRAGNORM FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR -%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY +%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID %token REQUIREORDER YES %token ANTISPOOF FOR %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT @@ -616,6 +617,8 @@ scrubrule : SCRUB dir logquick interface af fromto scrub_opts r.af = $5; if ($7.nodf) r.rule_flag |= PFRULE_NODF; + if ($7.randomid) + r.rule_flag |= PFRULE_RANDOMID; if ($7.minttl) r.min_ttl = $7.minttl; if ($7.maxmss) @@ -679,6 +682,13 @@ scrub_opt : NODF { scrub_opts.marker |= SOM_FRAGCACHE; scrub_opts.fragcache = $1; } + | RANDOMID { + if (scrub_opts.randomid) { + yyerror("random-id cannot be respecified"); + YYERROR; + } + scrub_opts.randomid = 1; + } ; fragcache : FRAGMENT FRAGNORM { $$ = 0; /* default */ } @@ -3623,6 +3633,7 @@ lookup(char *s) { "queue", QUEUE}, { "quick", QUICK}, { "random", RANDOM}, + { "random-id", RANDOMID}, { "rdr", RDR}, { "rdr-anchor", RDRANCHOR}, { "reassemble", FRAGNORM}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 61a8994dfa9..88c25e44bde 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.c,v 1.139 2003/02/02 19:25:06 henning Exp $ */ +/* $OpenBSD: pfctl_parser.c,v 1.140 2003/02/08 20:13:20 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -917,6 +917,8 @@ print_filter(struct pf_rule *r, int verbose) printf("fragment "); if (r->rule_flag & PFRULE_NODF) printf("no-df "); + if (r->rule_flag & PFRULE_RANDOMID) + printf("random-id "); if (r->min_ttl) printf("min-ttl %d ", r->min_ttl); if (r->max_mss) diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 9f5a9843492..a177ee7adeb 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.176 2003/02/03 16:17:49 mpech Exp $ +.\" $OpenBSD: pf.conf.5,v 1.177 2003/02/08 20:13:19 dhartmei Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -431,6 +431,11 @@ bit from a matching ip packet. Enforces a minimum ttl for matching ip packets. .It Ar max-mss <number> Enforces a maximum mss for matching tcp packets. +.It Ar random-id +Replaces the IP identification field with random values to compensate +for predictable values generated by many hosts. +This option only applies to outgoing packets that are not fragmented +after the optional fragment reassembly. .It Ar fragment reassemble Using .Ar scrub diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c index 9532eb0fad0..410fccbe5f2 100644 --- a/sys/net/pf_norm.c +++ b/sys/net/pf_norm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_norm.c,v 1.52 2003/01/25 19:47:05 dhartmei Exp $ */ +/* $OpenBSD: pf_norm.c,v 1.53 2003/02/08 20:13:20 dhartmei Exp $ */ /* * Copyright 2001 Niels Provos <provos@citi.umich.edu> @@ -949,6 +949,9 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason) if (r->min_ttl && h->ip_ttl < r->min_ttl) h->ip_ttl = r->min_ttl; + if (r->rule_flag & PFRULE_RANDOMID) + h->ip_id = ip_randomid(); + return (PF_PASS); fragment_pass: diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 6e6b9f94d52..93661b2a62f 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.134 2003/01/21 22:23:49 dhartmei Exp $ */ +/* $OpenBSD: pfvar.h,v 1.135 2003/02/08 20:13:20 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -393,6 +393,7 @@ struct pf_rule { #define PFRULE_FRAGCROP 0x10 /* non-buffering frag cache */ #define PFRULE_FRAGDROP 0x20 /* drop funny fragments */ #define PFRULE_RETURN 0x40 +#define PFRULE_RANDOMID 0x80 #define PFSTATE_HIWAT 10000 /* default state table size */ |