OpenSource Iptables and PF based firewalls that are designed around Linux/iptables or BSD/PF, has the ability to adjust tcp-mss values.
Great and needed for PPPoE or VPN environments. The 1st examples shows port specific adjustments.
(iptables example #1)
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN --dport 22:25:80:110:179:443 -o eth1 -j TCPMSS --set-mss 1436
The 2nd example show mss clamping ( aka mss adjustment) to match the path mtu minus the 40bytes for the overehead ( 20+20bytes for the ip and tcp headers )
(iptables example#2)
iptables
-A FORWARD -p tcp --tcp-flags SYN -j TCPMSS
--clamp-mss-to-pmtu
Now let’s move to BSD PF as commonly used in pFsense style firewalls.
(pf example#1)
scrub in on em0 all max-mss 1436
The above will do the same for packets entering/leaving em0, we could also clear DF bits for allowances of proper fragmentation as shown below.
(pf example#2)
scrub in on em0 all no-df max-mass 1436
Once again, experiment in your setting for the correct setup to ensure you have the proper values to allow for tcp-mss and packet fragmentation with udp/icmp traffic.
^ ^
==( @ @ ) ==
-------------------------
No comments:
Post a Comment