fw rule based on tcp options

Started by siga75, October 29, 2019, 08:19:37 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 29, 2019, 08:19:37 PM
is it possible to apply a filter rule based on tcp options? I saw there's the possibility to do that with tcp flags

I ask this since I saw a lot of syn flood comes with no options at all, since nowadays basically no one start a tcp handshacke without at least one of SACK, win scale, ECN, and such, it would be interesting to get rid of them

I tried the synproxie state type, but it's not a good choice in my opinion, I also limited number of SYN in a timewindows and it works quite well, issue is is so simple for a tool to change source address, making syn flooding too easy
https://www.signorini.ch
Protectli Pfsense Mi7500L6 Intel 7Th Gen Core I7 7500U 16Gb Ddr4 Ram
512Gb Msata Ssd
6 X Intel Gigabit Ethernet
November 01, 2019, 09:18:40 AM #1
There's matching for IP options in pf.conf(5), but unfortunately nothing for TP as far as I can see.

https://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5&n=1


Cheers,
Franco
Print
Go Up Pages1
User actions