BSD PF firewall has one extra scrub option…

fossjon

The BSD PacketFilter firewall has an extra scrub option which is, “reassemble tcp”. I was researching and exploring the different types of fragmented-packets/segmented-streams of data that could be forwarded within a network that may have a smaller MTU link in the middle of the routing path. I am still reading about what this option does on a streamed session and if Linux has anything similar to it…

Note: nftables has user-land hooks via nfqueue

# nft insert rule ip mangle FORWARD ip daddr 8.8.4.4 tcp dport 53 counter queue num 1

from scapy.layers.inet import IP
from netfilterqueue import NetfilterQueue

def que_packet(pkt):
    pay = pkt.get_payload()
    ipf = IP(pay)
    print("pkt",pkt)
    ipf.show()
    pkt.accept()

nfqueue = NetfilterQueue()
nfqueue.bind(1, que_packet)

try:
    nfqueue.run()
except:
    print("exit")

nfqueue.unbind()

Edit: I found that it was a bit complicated trying to understand when optimized network stacks (software or hardware) will combine multiple TCP segments into bigger IP packet payloads and that trying to perform reassembly at that higher level was a bit challenging/difficult. I came up with a way to solve the occasional web site having slow upload speeds for large files by running an nginx transparent reverse proxy server for HTTP/HTTPS instead!

user root wheel;
worker_processes 1;
worker_rlimit_nofile 4096;
events {
	worker_connections 4096;
	accept_mutex on;
	multi_accept off;
}
http {
	resolver 8.8.8.8 ipv6=off;
	server {
		listen 3128;
		location / {
			proxy_ignore_client_abort on;
			proxy_socket_keepalive on;
			proxy_connect_timeout 90s;
			proxy_read_timeout 90s;
			proxy_send_timeout 90s;
			proxy_pass http://$host;
			proxy_set_header Host $host;
		}
	}
}
stream {
	resolver 8.8.8.8 ipv6=off;
	server {
		listen 3129;
		ssl_preread on;
		proxy_half_close on;
		proxy_socket_keepalive on;
		proxy_connect_timeout 90s;
		proxy_timeout 90s;
		proxy_pass $ssl_preread_server_name:443;
	}
	server {
		listen 3127 udp;
		proxy_half_close on;
		proxy_socket_keepalive on;
		proxy_connect_timeout 90s;
		proxy_timeout 90s;
		proxy_pass $proxy_protocol_server_addr:1;
	}
}

rdr on en0 inet proto udp from any to any port 53 -> 127.0.0.1 port 3127
rdr on en0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128
rdr on en0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 3129

Update: Modifying the nginx framework to proxy more generically/reliably

~

Advertisement
BSD PF firewall has one extra scrub option…

One thought on “BSD PF firewall has one extra scrub option…

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s