OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • fw rule based on tcp options
« previous next »
  • Print
Pages: [1]

Author Topic: fw rule based on tcp options  (Read 1452 times)

siga75

  • Full Member
  • ***
  • Posts: 185
  • Karma: 11
    • View Profile
    • www.signorini.ch
fw rule based on tcp options
« on: October 29, 2019, 08:19:37 pm »
is it possible to apply a filter rule based on tcp options? I saw there's the possibility to do that with tcp flags

I ask this since I saw a lot of syn flood comes with no options at all, since nowadays basically no one start a tcp handshacke without at least one of SACK, win scale, ECN, and such, it would be interesting to get rid of them

I tried the synproxie state type, but it's not a good choice in my opinion, I also limited number of SYN in a timewindows and it works quite well, issue is is so simple for a tool to change source address, making syn flooding too easy
Logged
https://www.signorini.ch
Protectli Pfsense Mi7500L6 Intel 7Th Gen Core I7 7500U 16Gb Ddr4 Ram
512Gb Msata Ssd
6 X Intel Gigabit Ethernet

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17661
  • Karma: 1611
    • View Profile
Re: fw rule based on tcp options
« Reply #1 on: November 01, 2019, 09:18:40 am »
There's matching for IP options in pf.conf(5), but unfortunately nothing for TP as far as I can see.

https://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5&n=1


Cheers,
Franco
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • fw rule based on tcp options
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2