diff options
author | Mike Frantzen <frantzen@cvs.openbsd.org> | 2003-05-15 00:03:07 +0000 |
---|---|---|
committer | Mike Frantzen <frantzen@cvs.openbsd.org> | 2003-05-15 00:03:07 +0000 |
commit | 031bf042cd29fe4f15dd1dde093eff5c60e862a3 (patch) | |
tree | c4fde0b34133bfe085fc5a5d4cf900bb70b73b41 /share | |
parent | 4468520026b30756c78bc7326e2797114bc61854 (diff) |
document scrub opt "reassemble tcp"
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man5/pf.conf.5 | 48 |
1 files changed, 37 insertions, 11 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 6a52989a00d..8463e746bbd 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.236 2003/05/12 04:22:04 dhartmei Exp $ +.\" $OpenBSD: pf.conf.5,v 1.237 2003/05/15 00:03:06 frantzen Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -479,14 +479,6 @@ modifier (see below) is recommended in combination with the modifier to ensure unique IP identifiers. .It Ar min-ttl <number> Enforces a minimum ttl for matching ip packets. -For statefully tracked TCP connections, -.Ar scrub -will automatically (without the -.Ar min-ttl -modifier) keep the maximum TTL of each side of the connection and apply -it to all future packets. -Inhibits an attacker from sending low TTL packets through the firewall that -change state but expires before being received by the end host. .It Ar max-mss <number> Enforces a maximum mss for matching tcp packets. .It Ar random-id @@ -531,6 +523,39 @@ This option is similar to the modifier except that all overlapping or duplicate fragments will be dropped, and all further corresponding fragments will be dropped as well. +.It Ar reassemble tcp +Statefully normalizes TCP connections. +.Ar scrub reassemble tcp +rules may not have the direction (in/out) specified. +.Ar reassemble tcp +performs the following normalizations: +.Pp +.Bl -tag -width timeout -compact +.It ttl +Neither side of the connection is allowed to reduce their IP TTL. +An attacker may send a packet such that it reaches the firewall, affects +the firewall state, and expires before reaching the destination host. +.Ar reassemble tcp +will raise the TTL of all packets back up to the highest value seen on +the connection. +.It timeout modulation +Modern TCP stacks will send a timestamp on every TCP packet and echo +the other endpoints timestamp back to them. +Many operating systems will merely start the timestamp at zero when +first booted, and increment it several times a second. +The uptime of the host can be deduced by reading the timestamp and multiplying +by a constant. +Also observing several different timestamps can be used to count hosts +behind a NAT device. +And spoofing TCP packets into a connection requires knowing or guessing +valid timestamps. +Timestamps merely need to be monotonically increasing and not derived off a +guessable base time. +.Ar reassemple tcp +will cause +.Ar scrub +to modulate the TCP timestamps with a random number. +.El .El .Pp For example, @@ -2027,8 +2052,9 @@ filteropt-list = FILTEROPT-LIST FILTEROPT | FILTEROPT filteropt = USER | GROUP | FLAGS | ICMP-TYPE | ICMP6-TYPE | TOS | ( keep | modulate ) state [ '(' STATE-OPTS ')' ] | fragment | no-df | min-ttl NUMBER | max-mss NUMBER | - random-id | FRAGMENTATION | allow-opts | label STRING | - queue '(' STRING | ( STRING [ [ ',' ] STRING ] ) ')' + random-id | reassemble tcp | FRAGMENTATION | allow-opts | + label STRING | + queue '(' STRING | ( STRING [ [ ',' ] STRING ] ) ')' nat-rule = [ no ] nat [ on IFSPEC ] [ AF ] [ PROTOSPEC ] HOSTS [ '->' ( REDIRHOST | '{' REDIRHOST-LIST '}' ) |