diff options
author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-02-08 20:13:21 +0000 |
---|---|---|
committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-02-08 20:13:21 +0000 |
commit | 615fa40fdb9c9961935e2cefd2bd118c7225347b (patch) | |
tree | 2fb3cd51ac24eb8f16755de83ae21fd59d9172f8 /share/man/man5/pf.conf.5 | |
parent | 18a76cba38a02030b3e3550931ecf3ffc7b27e97 (diff) |
Add scrub option 'random-id', which replaces IP IDs with random values
for outgoing packets that are not fragmented (after reassembly), to
compensate for predictable IDs generated by some hosts, and defeat
fingerprinting and NAT detection as described in the Bellovin paper
http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@
Diffstat (limited to 'share/man/man5/pf.conf.5')
-rw-r--r-- | share/man/man5/pf.conf.5 | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 9f5a9843492..a177ee7adeb 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.176 2003/02/03 16:17:49 mpech Exp $ +.\" $OpenBSD: pf.conf.5,v 1.177 2003/02/08 20:13:19 dhartmei Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -431,6 +431,11 @@ bit from a matching ip packet. Enforces a minimum ttl for matching ip packets. .It Ar max-mss <number> Enforces a maximum mss for matching tcp packets. +.It Ar random-id +Replaces the IP identification field with random values to compensate +for predictable values generated by many hosts. +This option only applies to outgoing packets that are not fragmented +after the optional fragment reassembly. .It Ar fragment reassemble Using .Ar scrub |