BSD use SYN,ACK filter to catch autottl

1 year ago · 5ef3fb9e97
4 changed files with 31 additions and 16 deletions
--- a/blockcheck.sh
+++ b/blockcheck.sh
@ -364,8 +364,8 @@ pktws_ipt_prepare()
 			;;
 		ipfw)
 			IPFW_ADD divert $IPFW_DIVERT_PORT tcp from me to any $1 proto ip${IPV} out not diverted not sockarg
-			# this redirects all incoming traffic to the port, do not use it in real life !
-			IPFW_ADD divert $IPFW_DIVERT_PORT tcp from any $1 to me proto ip${IPV} in not diverted not sockarg
+			# for autottl mode
+			IPFW_ADD divert $IPFW_DIVERT_PORT tcp from any $1 to me proto ip${IPV} tcpflags syn,ack in
 			;;
 	esac
 }
--- a/docs/bsd.eng.md
+++ b/docs/bsd.eng.md
@ -155,6 +155,8 @@ For all traffic:
 ```
 ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
+# required for autottl mode only
+ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in recv em0
 /opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
 ```

@ -163,6 +165,8 @@ Process only table zapret with the exception of table nozapret:
 ipfw delete 100
 ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
 ipfw add 100 divert 989 tcp from any to table\(zapret\) 80,443 out not diverted not sockarg xmit em0
+# required for autottl mode only
+ipfw add 100 divert 989 tcp from table\(zapret\) 80,443 to any tcpflags syn,ack in recv em0
 /opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
 ```

@ -349,17 +353,19 @@ table <zapret> file "/opt/zapret/ipset/zapret-ip.txt"
 table <zapret-user> file "/opt/zapret/ipset/zapret-ip-user.txt"
 table <nozapret> file "/opt/zapret/ipset/zapret-ip-exclude.txt"
 pass out quick on em0 inet  proto tcp to   <nozapret> port {80,443}
-pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} no state
-pass out quick on em0 inet  proto tcp to   <zapret>  port {80,443} divert-packet port 989 no state
-pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} no state
-pass out quick on em0 inet  proto tcp to   <zapret-user>  port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret> port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret> port {80,443} no state
+pass out quick on em0 inet  proto tcp to   <zapret> port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret-user> port {80,443} no state
+pass out quick on em0 inet  proto tcp to   <zapret-user> port {80,443} divert-packet port 989 no state
 table <zapret6> file "/opt/zapret/ipset/zapret-ip6.txt"
 table <zapret6-user> file "/opt/zapret/ipset/zapret-ip-user6.txt"
 table <nozapret6> file "/opt/zapret/ipset/zapret-ip-exclude6.txt"
 pass out quick on em0 inet6 proto tcp to   <nozapret6> port {80,443}
-pass in  quick on em0 inet6 proto tcp from <zapret6>  port {80,443} no state
+pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6> port {80,443} divert-packet port 989 no state
-pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} no state
+pass in  quick on em0 inet6 proto tcp from <zapret6-user> port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6-user> port {80,443} divert-packet port 989 no state
 ```

--- a/docs/bsd.txt
+++ b/docs/bsd.txt
@ -123,12 +123,16 @@ ipfw add 100 fwd ::1,988 tcp from any to any 80,443 proto ip6 recv em1
 Для всего трафика :
 ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
+# required for autottl mode only
+ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in recv em0
 /opt/zapret/nfq/dvtws --port=989 ---dpi-desync=split2

 Для трафика только на таблицу zapret, за исключением таблицы nozapret :
 ipfw delete 100
 ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
 ipfw add 100 divert 989 tcp from any to table\(zapret\) 80,443 out not diverted not sockarg xmit em0
+# required for autottl mode only
+ipfw add 100 divert 989 tcp from table\(zapret\) 80,443 to any tcpflags syn,ack in recv em0
 /opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2

 Недопущение зацикливания - повторного вхождения фейк пакетов на обработку.
@ -282,6 +286,7 @@ dvtws для всего трафика :

 /etc/pf.conf
 ------------
+pass in  quick on em0 proto tcp from port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 proto tcp from port {80,443} no state
 pass out quick on em0 proto tcp to   port {80,443} divert-packet port 989 no state
 ------------
@ -297,17 +302,19 @@ table <zapret> file "/opt/zapret/ipset/zapret-ip.txt"
 table <zapret-user> file "/opt/zapret/ipset/zapret-ip-user.txt"
 table <nozapret> file "/opt/zapret/ipset/zapret-ip-exclude.txt"
 pass out quick on em0 inet  proto tcp to   <nozapret> port {80,443}
-pass in  quick on em0 inet  proto tcp from <zapret>  port {80,443} no state
-pass out quick on em0 inet  proto tcp to   <zapret>  port {80,443} divert-packet port 989 no state
-pass in  quick on em0 inet  proto tcp from <zapret-user>  port {80,443} no state
-pass out quick on em0 inet  proto tcp to   <zapret-user>  port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret> port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret> port {80,443} no state
+pass out quick on em0 inet  proto tcp to   <zapret> port {80,443} divert-packet port 989 no state
+pass in  quick on em0 inet  proto tcp from <zapret-user> port {80,443} no state
+pass out quick on em0 inet  proto tcp to   <zapret-user> port {80,443} divert-packet port 989 no state
 table <zapret6> file "/opt/zapret/ipset/zapret-ip6.txt"
 table <zapret6-user> file "/opt/zapret/ipset/zapret-ip-user6.txt"
 table <nozapret6> file "/opt/zapret/ipset/zapret-ip-exclude6.txt"
 pass out quick on em0 inet6 proto tcp to   <nozapret6> port {80,443}
-pass in  quick on em0 inet6 proto tcp from <zapret6>  port {80,443} no state
+pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} flags SA/SA divert-packet port 989 no state
+pass in  quick on em0 inet6 proto tcp from <zapret6> port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6> port {80,443} divert-packet port 989 no state
-pass in  quick on em0 inet6 proto tcp from <zapret6-user>  port {80,443} no state
+pass in  quick on em0 inet6 proto tcp from <zapret6-user> port {80,443} no state
 pass out quick on em0 inet6 proto tcp to   <zapret6-user> port {80,443} divert-packet port 989 no state
 ------------
 pfctl -f /etc/pf.conf
--- a/docs/bsdfw.txt
+++ b/docs/bsdfw.txt
@ -27,9 +27,10 @@ ipfw add 100 fwd ::1,988 tcp from any to any 80,443 proto ip6 recv em1

 ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
+; required for autottl mode
+ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in recv em0
+; udp
 ipfw add 100 divert 989 udp from any to any 443 out not diverted not sockarg xmit em0
-# this is required for autottl but very bad, all incoming traffic will be diverted, no way to limit like in linux (connbytes)
-ipfw add 100 divert 989 tcp from any 80,443 to any in not diverted not sockarg recv em0

 ipfw delete 100
 ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
@ -71,6 +72,7 @@ pfctl -f /etc/pf.conf

 ; dvtws works both for routed and local

+pass in  quick on em0 proto tcp from port {80,443} flags SA/SA divert-packet port 989 no state
 pass in  quick on em0 proto tcp from port {80,443} no state
 pass out quick on em0 proto tcp to   port {80,443} divert-packet port 989 no state
 pfctl -f /etc/pf.conf