[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:07.pf

Brian A. Seklecki lavalamp at spiritual-machines.org
Wed Jan 25 07:14:26 PST 2006

> III. Impact
> By sending carefully crafted sequence of IP packet fragments, a remote
> attacker can cause a system running pf with a ruleset containing a
> 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash.
> IV.  Workaround
> Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules
> on systems running pf.  In most cases, such rules can be replaced by
> 'scrub fragment reassemble' rules; see the pf.conf(5) manual page for


Just to clarify on the syntax, since it's not actually mentioned in 

Per the PF FAQ, a rule:

"scrub in all" or "scrub all"

Implies "scrub in all fragment reassemble" as a default argument/flags to 
"scrub" when not are specified, and none of the other scrubbing options 
(no-df, random-id, etc.).  This per observation of "pfctl -s all":

$ sudo grep -i scrub /etc/pf.conf
scrub in all
$ sudo pfctl -s all | grep -i scrub
scrub in all fragment reassemble


To the credit of the FAQ Author, it does state "This is the default 
behavior when no fragment option is specified." ... but that still begs 
the question: "What are the default scrubbing options, other than fragment 
reassembly, when none are specified?"

Might be useful to mention these things in the FAQ and the advisory.


> more details.
> Systems which do not use pf, or use pf but do not use the aforementioned
> rules, are not affected by this issue.

More information about the freebsd-questions mailing list