Add scrub option 'random-id', which replaces IP IDs with random values

for outgoing packets that are not fragmented (after reassembly), to
compensate for predictable IDs generated by some hosts, and defeat
fingerprinting and NAT detection as described in the Bellovin paper
http://www.research.att.com/~smb/papers/fnat.pdf. ok theo@

2 files changed, 6 insertions, 2 deletions

diff --git a/sys/net/pf_norm.c b/sys/net/pf_norm.c
index 9532eb0fad0..410fccbe5f2 100644
--- a/sys/net/pf_norm.c
+++ b/sys/net/pf_norm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_norm.c,v 1.52 2003/01/25 19:47:05 dhartmei Exp $ */
+/*	$OpenBSD: pf_norm.c,v 1.53 2003/02/08 20:13:20 dhartmei Exp $ */
 
 /*
  * Copyright 2001 Niels Provos <provos@citi.umich.edu>
@@ -949,6 +949,9 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct ifnet *ifp, u_short *reason)
 	if (r->min_ttl && h->ip_ttl < r->min_ttl)
 		h->ip_ttl = r->min_ttl;
 
+	if (r->rule_flag & PFRULE_RANDOMID)
+		h->ip_id = ip_randomid();
+
 	return (PF_PASS);
 
  fragment_pass:
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 6e6b9f94d52..93661b2a62f 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.134 2003/01/21 22:23:49 dhartmei Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.135 2003/02/08 20:13:20 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -393,6 +393,7 @@ struct pf_rule {
 #define	PFRULE_FRAGCROP		0x10	/* non-buffering frag cache */
 #define	PFRULE_FRAGDROP		0x20	/* drop funny fragments */
 #define	PFRULE_RETURN		0x40
+#define PFRULE_RANDOMID		0x80
 
 #define PFSTATE_HIWAT		10000	/* default state table size */