mirror of
https://github.com/opnsense/docs
synced 2024-11-09 01:10:33 +00:00
47 lines
2.4 KiB
ReStructuredText
47 lines
2.4 KiB
ReStructuredText
|
===========================
|
||
|
Normalization
|
||
|
===========================
|
||
|
|
||
|
Traffic normalization protects internal machines against inconsistencies in Internet protocols and implementations.
|
||
|
OPNsense has some generic options to normalize some packets on a per interface basis, in some cases
|
||
|
more detailed changes are needed, for which custom rules can be configured.
|
||
|
|
||
|
By default (when **Disable interface scrub** is not set), all interfaces are scrubbed for all traffic,
|
||
|
with :code:`fragment reassemble` enabled and :code:`max-mss` set when specified in **MSS** on the interface.
|
||
|
|
||
|
.. Note::
|
||
|
|
||
|
Some protocols, such as NFS, require specific fragment handling options, which my require specific options set like
|
||
|
**IP Do-Not-Fragment***
|
||
|
|
||
|
|
||
|
--------------------
|
||
|
Settings
|
||
|
--------------------
|
||
|
|
||
|
Normalization rules use the same kind of matching as normal firewall rules, which we are not going to detail here.
|
||
|
When matched, some different options can be set.
|
||
|
|
||
|
|
||
|
.. Note::
|
||
|
|
||
|
When rules overlap, the first matching rule wins, hence per interface options are sorted after user configurable
|
||
|
ones.
|
||
|
|
||
|
|
||
|
=====================================================================================================================
|
||
|
|
||
|
==================================== ===============================================================================
|
||
|
Max mss Enforces a maximum MSS for matching TCP packets. Can also be configured on
|
||
|
the interface as general rule.
|
||
|
TOS / DSCP Enforces a TOS/DCP for matching IP packets.
|
||
|
Minimum TTL Enforces a minimum TTL for matching IP packets.
|
||
|
Do not fragment Clears the :code:`dont-fragment` bit for a matching IP packet, which
|
||
|
disables
|
||
|
`IP fragmentation <https://en.wikipedia.org/wiki/IP_fragmentation>`__ when set.
|
||
|
Random ID Replaces the IP identification field with random values to compensate for
|
||
|
predictable values generated by many hosts.
|
||
|
This option only applies to packets that are not fragmented
|
||
|
after the optional fragment reassembly.
|
||
|
==================================== ===============================================================================
|