tcpoptd can delete and add arbitrary TCP header options. It runs on operating systems that offer divert sockets, e.g. FreeBSD.
$ make $ make install
tcpoptd_enable="YES" tcpoptd_flags="..."See below on how to configure tcpoptd_flags.
$ /usr/local/etc/rc.d/tcpoptd start
divert 10003 tcp from any to any port 25 setupThis rule redirects every SMTP packet with syn flag set through tcpoptd. By default, divert port 10003 is used. This can be changed if you start tcpoptd with the -p command line option.
tcpoptd V0.2 - modifies tcp header options
usage: tcpoptd [-a <opts>] [-r <opts>] [-p <port>]
[-d [-d]] [-i <pidfile>] [-u <user>]
tcpoptd -h
-a <opts> comma-separated values that are inserted into every tcp
packet; decimal and hexadecimal values are accepted, e.g.
to insert tcp option 0x4e (78) comprising two values 23 and
42:
0x4e,4,23,42
| | | +-- option value
| | +----- option value
| +------- total length incl. type and length
+----------- option type
if you are inserting an odd number of bytes, then you should
prefix these values with a nop opcode (1), e.g. instead of
45,3,4 use 1,45,3,4
-r <opts> comma-separated list of tcp header options that get remove
from every tcp packet; decimal and hexadecimal values are
accepted, e.g. to remove any occurrences of option type
0xf (15) and 11:
0xf,11
Note that option type 0 (end-of-options, padding) and
1 (nop) are always removed and added as needed at the end
of the new tcp header options
-p <port> divert port number to listen on; defaults to 10003, e.g.
to redirect all outgoing tcp packets with syn flag set and
destined to port 25 through tcpoptd, add this to your ipfw
ruleset:
add divert 10003 tcp from me to any 25 out setup
-d run in foreground, don't write pidfile
-d -d run in foreground, don't write pidfile, debug log to stderr,
don't drop privileges
-i <pidfile> write pid to <pidfile> instead of /var/run/tcpoptd.pid
-u <user> run as user <user> instead of uid 65535 and gid 65535
-h show this help ;-)