summaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
authorMike Frantzen <frantzen@cvs.openbsd.org>2003-05-15 00:03:07 +0000
committerMike Frantzen <frantzen@cvs.openbsd.org>2003-05-15 00:03:07 +0000
commit031bf042cd29fe4f15dd1dde093eff5c60e862a3 (patch)
treec4fde0b34133bfe085fc5a5d4cf900bb70b73b41 /share
parent4468520026b30756c78bc7326e2797114bc61854 (diff)
document scrub opt "reassemble tcp"
Diffstat (limited to 'share')
-rw-r--r--share/man/man5/pf.conf.548
1 files changed, 37 insertions, 11 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 6a52989a00d..8463e746bbd 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.236 2003/05/12 04:22:04 dhartmei Exp $
+.\" $OpenBSD: pf.conf.5,v 1.237 2003/05/15 00:03:06 frantzen Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -479,14 +479,6 @@ modifier (see below) is recommended in combination with the
modifier to ensure unique IP identifiers.
.It Ar min-ttl <number>
Enforces a minimum ttl for matching ip packets.
-For statefully tracked TCP connections,
-.Ar scrub
-will automatically (without the
-.Ar min-ttl
-modifier) keep the maximum TTL of each side of the connection and apply
-it to all future packets.
-Inhibits an attacker from sending low TTL packets through the firewall that
-change state but expires before being received by the end host.
.It Ar max-mss <number>
Enforces a maximum mss for matching tcp packets.
.It Ar random-id
@@ -531,6 +523,39 @@ This option is similar to the
modifier except that all overlapping or duplicate fragments will be
dropped, and all further corresponding fragments will be
dropped as well.
+.It Ar reassemble tcp
+Statefully normalizes TCP connections.
+.Ar scrub reassemble tcp
+rules may not have the direction (in/out) specified.
+.Ar reassemble tcp
+performs the following normalizations:
+.Pp
+.Bl -tag -width timeout -compact
+.It ttl
+Neither side of the connection is allowed to reduce their IP TTL.
+An attacker may send a packet such that it reaches the firewall, affects
+the firewall state, and expires before reaching the destination host.
+.Ar reassemble tcp
+will raise the TTL of all packets back up to the highest value seen on
+the connection.
+.It timeout modulation
+Modern TCP stacks will send a timestamp on every TCP packet and echo
+the other endpoints timestamp back to them.
+Many operating systems will merely start the timestamp at zero when
+first booted, and increment it several times a second.
+The uptime of the host can be deduced by reading the timestamp and multiplying
+by a constant.
+Also observing several different timestamps can be used to count hosts
+behind a NAT device.
+And spoofing TCP packets into a connection requires knowing or guessing
+valid timestamps.
+Timestamps merely need to be monotonically increasing and not derived off a
+guessable base time.
+.Ar reassemple tcp
+will cause
+.Ar scrub
+to modulate the TCP timestamps with a random number.
+.El
.El
.Pp
For example,
@@ -2027,8 +2052,9 @@ filteropt-list = FILTEROPT-LIST FILTEROPT | FILTEROPT
filteropt = USER | GROUP | FLAGS | ICMP-TYPE | ICMP6-TYPE | TOS |
( keep | modulate ) state [ '(' STATE-OPTS ')' ] |
fragment | no-df | min-ttl NUMBER | max-mss NUMBER |
- random-id | FRAGMENTATION | allow-opts | label STRING |
- queue '(' STRING | ( STRING [ [ ',' ] STRING ] ) ')'
+ random-id | reassemble tcp | FRAGMENTATION | allow-opts |
+ label STRING |
+ queue '(' STRING | ( STRING [ [ ',' ] STRING ] ) ')'
nat-rule = [ no ] nat [ on IFSPEC ] [ AF ] [ PROTOSPEC ]
HOSTS [ '->' ( REDIRHOST | '{' REDIRHOST-LIST '}' )