Randomizing all IP IDs

One of the more interesting possibilities in a firewall is to randomize all IP IDs in the packets leaving your network for the outside world. In doing this, we can make sure that passive operating system determination methods based on IP IDs will break when trying to figure out the operating system of a system protected by the firewall. Because such methods depend on analyzing how the host operating system increments the IP IDs in its outgoing packets, and our firewall ensures that the IP IDs in all the packets leaving our network are totally random, it's pretty hard to match them against a known pattern for an operating system. This also helps to prevent enumeration of machines in a network address translated (NAT) environment. Without random IP IDs, someone outside the network can perform a statistical analysis of the IP IDs being emitted by the NAT gateway in order to count the number of machines on the private network. Randomizing the IP IDs defeats this kind of attack.

To enable random ID generation on OpenBSD interface, put a line such as this in /etc/pf.conf:

scrub out on EXT_IF all random-id

Replace the EXT_IF with your external interface, here the EXT_IF is a macro which is defined earlier in the pf.conf file. For more details reffer to openBSD PF FAQ…

ciao :]


About this entry