next up previous contents
Next: 5 Migrating from IPFilter Up: The OpenBSD Packet Filter Previous: 3 Filtering Bridges   Contents


4 Firewalling tricks

To increase the security of the host(s) it is supposed to protect, OpenBSD PF has a number of unique features to correct mistakes in TCP/IP stack implementations, which are described in this section.

4.1 State modulation

To ensure proper delivery of TCP packets and to prevent connection hijacking, the TCP protocol utilizes a sequence numer scheme in which a random initial sequence number (ISN) is chosen at the start of a connection, which is incremented for each byte transmitted. However, many popular TCP implementations use a very poor random number generator for generating these ISNs3, thus making it more likely TCP connections originating from such systems could be taken over by malicious people.

That is why the OpenBSD PF developers chose to add state modulation. This involves generating a more random initial sequence number for connections matching a PF rule, and translating the sequence numbers of packets passing the firewall from the ISN generated by the host to the ISN generated by the firewall and vice-versa.

This can be done by adding the modulate state keyword to PF rules, such as this one, protecting the corporate network defined in the previous chapter:

   pass  in quick on xl1 proto tcp from to any \
                                      flags S/SA modulate state

The modulate state option implies keep state, described in section 2.3.

4.2 Packet normalization

Since some IP stacks don't correctly implement IP packet defragmentation, OpenBSD PF provides the scrub directive. If a scrub rule matches a packet, the PF normalization component makes sure the packet is defragmented and completely stripped of all abnormalities before it is sent along to its final destination4.

Normalizing all incoming network traffic would require a rule such as this:

   scrub in all

Using the scrub directive uses quite an amount of server resources, so its use should be limited to protecting only the weak TCP/IP stack implementations.

Additional options that apply to the scrub directive are:

clear the don't fragment bit from a matching IP packet.
min-ttl number
enforce a minimum time to live for matching IP packets, dropping packets that don't match the requirement.


... ISNs3
For more information about ISN generation, along with a survey of the ISN generation on some popular operating systems, see
... destination4
At the time of writing, it is not entirely clear to me how this interacts with state keeping. Could any of the PF developers comment on this?

next up previous contents
Next: 5 Migrating from IPFilter Up: The OpenBSD Packet Filter Previous: 3 Filtering Bridges   Contents
Wouter Coene 2002-04-05