mirror of https://github.com/opnsense/docs
Firewall, add Normalization section
parent
48ab3352bb
commit
ee0e53669c
@ -0,0 +1,46 @@
|
||||
===========================
|
||||
Normalization
|
||||
===========================
|
||||
|
||||
Traffic normalization protects internal machines against inconsistencies in Internet protocols and implementations.
|
||||
OPNsense has some generic options to normalize some packets on a per interface basis, in some cases
|
||||
more detailed changes are needed, for which custom rules can be configured.
|
||||
|
||||
By default (when **Disable interface scrub** is not set), all interfaces are scrubbed for all traffic,
|
||||
with :code:`fragment reassemble` enabled and :code:`max-mss` set when specified in **MSS** on the interface.
|
||||
|
||||
.. Note::
|
||||
|
||||
Some protocols, such as NFS, require specific fragment handling options, which my require specific options set like
|
||||
**IP Do-Not-Fragment***
|
||||
|
||||
|
||||
--------------------
|
||||
Settings
|
||||
--------------------
|
||||
|
||||
Normalization rules use the same kind of matching as normal firewall rules, which we are not going to detail here.
|
||||
When matched, some different options can be set.
|
||||
|
||||
|
||||
.. Note::
|
||||
|
||||
When rules overlap, the first matching rule wins, hence per interface options are sorted after user configurable
|
||||
ones.
|
||||
|
||||
|
||||
=====================================================================================================================
|
||||
|
||||
==================================== ===============================================================================
|
||||
Max mss Enforces a maximum MSS for matching TCP packets. Can also be configured on
|
||||
the interface as general rule.
|
||||
TOS / DSCP Enforces a TOS/DCP for matching IP packets.
|
||||
Minimum TTL Enforces a minimum TTL for matching IP packets.
|
||||
Do not fragment Clears the :code:`dont-fragment` bit for a matching IP packet, which
|
||||
disables
|
||||
`IP fragmentation <https://en.wikipedia.org/wiki/IP_fragmentation>`__ when set.
|
||||
Random ID Replaces the IP identification field with random values to compensate for
|
||||
predictable values generated by many hosts.
|
||||
This option only applies to packets that are not fragmented
|
||||
after the optional fragment reassembly.
|
||||
==================================== ===============================================================================
|
Loading…
Reference in New Issue