Monday, May 20, 2013

tcp-mss adjusment opensource firewalls iptables and pf

OpenSource Iptables and PF based firewalls that are designed around Linux/iptables or BSD/PF, has the ability to adjust tcp-mss values.
Great and needed for  PPPoE or VPN environments. The 1st examples shows port specific adjustments.

(iptables example #1)  
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN --dport 22:25:80:110:179:443 -o eth1 -j TCPMSS --set-mss 1436

The 2nd example show mss clamping ( aka  mss adjustment) to match the path mtu  minus the 40bytes for the  overehead ( 20+20bytes for the ip and tcp headers )

(iptables example#2)

iptables -A FORWARD -p tcp --tcp-flags SYN -j TCPMSS  --clamp-mss-to-pmtu

Both of the above will correctly set the mss value, with the example#1 being a manual adjustment. Experimentation in your setting, to determine which one is the best for you.

Now let’s move to BSD PF as commonly used  in pFsense style firewalls.

(pf example#1)
scrub in on em0  all max-mss 1436

The above will do the same for packets entering/leaving  em0, we could also clear  DF bits for allowances of proper fragmentation as shown below.

(pf example#2)
scrub in on em0  all no-df max-mass 1436

Once again, experiment in  your setting for the correct setup to ensure you have the proper values to allow for tcp-mss and packet fragmentation with udp/icmp traffic.

       ^      ^
==(  @  @ ) ==

No comments:

Post a Comment