Firewall, add Normalization section

5 years ago · ee0e53669c
parent 48ab3352bb
commit ee0e53669c
2 changed files with 47 additions and 0 deletions
--- a/source/firewall.rst
+++ b/source/firewall.rst
@ -23,6 +23,7 @@ These are all combined in the firewall section.
   manual/shaping
   manual/firewall_groups
   manual/firewall_vip
+   manual/firewall_scrub
   manual/how-tos/shaper
   manual/how-tos/carp
   manual/diagnostics
--- a/source/manual/firewall_scrub.rst
+++ b/source/manual/firewall_scrub.rst
@ -0,0 +1,46 @@
+===========================
+Normalization
+===========================
+
+Traffic normalization protects internal machines against inconsistencies in Internet protocols and implementations.
+OPNsense has some generic options to normalize some packets on a per interface basis, in some cases
+more detailed changes are needed, for which custom rules can be configured.
+
+By default (when **Disable interface scrub** is not set), all interfaces are scrubbed for all traffic,
+with :code:`fragment reassemble` enabled and :code:`max-mss` set when specified in **MSS** on the interface.
+
+.. Note::
+
+    Some protocols, such as NFS, require specific fragment handling options, which my require specific options set like
+    **IP Do-Not-Fragment***
+
+
+--------------------
+Settings
+--------------------
+
+Normalization rules use the same kind of matching as normal firewall rules, which we are not going to detail here.
+When matched, some different options can be set.
+
+
+.. Note::
+
+  When rules overlap, the first matching rule wins, hence per interface options are sorted after user configurable
+  ones.
+
+
+=====================================================================================================================
+
+====================================  ===============================================================================
+Max mss                               Enforces a maximum MSS for matching TCP packets. Can also be configured on
+                                      the interface as general rule.
+TOS / DSCP                            Enforces a TOS/DCP for matching IP packets.
+Minimum TTL                           Enforces a minimum TTL for matching IP packets.
+Do not fragment                       Clears the :code:`dont-fragment` bit for a matching IP packet, which
+                                      disables
+                                      `IP fragmentation <https://en.wikipedia.org/wiki/IP_fragmentation>`__ when set.
+Random ID                             Replaces the IP identification field with random values to compensate for
+                                      predictable values generated by many hosts.
+                                      This option only applies to packets that are not fragmented
+                                      after the optional fragment reassembly.
+====================================  ===============================================================================