diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-05-16 17:15:18 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2003-05-16 17:15:18 +0000 |
| commit | 85e053e7501287b4034b58a3a8435bf906ed929e (patch) | |
| tree | 09f5e7909516434e61974fc7b1e719ed8d2d993e /share/man/man5 | |
| parent | d9525b078e57b78143c603ae3eb262ad75798b49 (diff) | |
TCP SYN proxy. Instead of 'keep state' or 'modulate state', one can use
'synproxy state' for TCP connections. pf will complete the TCP handshake
with the active endpoint before passing any packets to the passive end-
point, preventing spoofed SYN floods from reaching the passive endpoint.
No additional memory requirements, no cookies needed, random initial
sequence numbers, uses the existing sequence number modulators to translate
packets after the handshakes.
ok frantzen@
Diffstat (limited to 'share/man/man5')
| -rw-r--r-- | share/man/man5/pf.conf.5 | 40 |
1 files changed, 39 insertions, 1 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 1b403ab3a7b..ccb01b81f61 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.239 2003/05/16 09:08:58 jmc Exp $ +.\" $OpenBSD: pf.conf.5,v 1.240 2003/05/16 17:15:17 dhartmei Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -1595,6 +1595,44 @@ Using a modifier on .Ar modulate state rules between fast networks is suggested to prevent ACK storms. +.Sh SYN PROXY +By default, +.Xr pf 4 +passes packets part of a +.Xr tcp 4 +handshake between the endpoints. +The +.Ar synproxy state +option can be used to cause +.Xr pf 4 +to itself complete the handshake with the active endpoint, perform a handshake +with the passive endpoint, and then forward packets between the endpoints. +.Pp +No packets are sent to the passive endpoint before the active endpoint has +completed the handshake, hence so-called SYN floods with spoofed source +addresses will not reach the passive endpoint, as the sender can't complete the +handshake. +.Pp +The proxy is transparent to both endpoints, they each see a single +connection from/to the other endpoint. +.Xr pf 4 +choses random initial sequence numbers for both handshakes. +Once the handshakes are completed, the sequence number modulators +(see previous section) are used to translate further packets of the +connection. +Hence, +.Ar synproxy state +includes +.Ar modulate state +and +.Ar keep state +. +.Pp +Example: +.Bd -literal -offset indent +pass in proto tcp from any to any port www flags S/SA synproxy state +.Ed +.Pp .Sh STATEFUL TRACKING OPTIONS Both .Ar keep state |