2
0
mirror of https://github.com/opnsense/docs synced 2024-11-01 15:40:23 +00:00
opensense-docs/source/manual/firewall_scrub.rst
2019-08-15 17:08:32 +02:00

47 lines
2.4 KiB
ReStructuredText

===========================
Normalization
===========================
Traffic normalization protects internal machines against inconsistencies in Internet protocols and implementations.
OPNsense has some generic options to normalize some packets on a per interface basis, in some cases
more detailed changes are needed, for which custom rules can be configured.
By default (when **Disable interface scrub** is not set), all interfaces are scrubbed for all traffic,
with :code:`fragment reassemble` enabled and :code:`max-mss` set when specified in **MSS** on the interface.
.. Note::
Some protocols, such as NFS, require specific fragment handling options, which my require specific options set like
**IP Do-Not-Fragment***
--------------------
Settings
--------------------
Normalization rules use the same kind of matching as normal firewall rules, which we are not going to detail here.
When matched, some different options can be set.
.. Note::
When rules overlap, the first matching rule wins, hence per interface options are sorted after user configurable
ones.
=====================================================================================================================
==================================== ===============================================================================
Max mss Enforces a maximum MSS for matching TCP packets. Can also be configured on
the interface as general rule.
TOS / DSCP Enforces a TOS/DCP for matching IP packets.
Minimum TTL Enforces a minimum TTL for matching IP packets.
Do not fragment Clears the :code:`dont-fragment` bit for a matching IP packet, which
disables
`IP fragmentation <https://en.wikipedia.org/wiki/IP_fragmentation>`__ when set.
Random ID Replaces the IP identification field with random values to compensate for
predictable values generated by many hosts.
This option only applies to packets that are not fragmented
after the optional fragment reassembly.
==================================== ===============================================================================