pf and scrubbing bubbles
jbronson at wixb.com
Sun Jan 29 13:21:46 PST 2006
At 02:31 PM 1/29/2006, Russell E. Meek wrote:
>Chuck Swiger wrote:
>>J.D. Bronson wrote:
>>>I am using this in my pf.conf (on 6.0) and was wondering if these settings
>>>While 'scrub' by itself is always recommended, I added a few more things
>>>that seem to ought to be there?
>>>I use this for all the NICs...WAN and LAN...
>>>with the exception to remove filtering on loopback:
>>>scrub all random-id reassemble tcp fragment reassemble
>>>no scrub on lo0 all
>>>anyone see any issues with this - especially since its on the WAN
>>>and LAN NICs?
>>You're shifting a fair amount of workload onto the firewall by
>>requiring it to
>>re-write all of the packets to change the IPID field; it would be highly
>>desirable to have NICs which can do hardware checksums.
>>There's a potential for DoS'ing the firewall if it does fragment reassembly,
>>modulo how well PF handles such fragmentation attacks. If you
>>permit Path MTU
>>discovery to function, blocking fragments entirely may be a more reasonable
>>approach than trying to reassemble them on the firewall.
>>(If you need to support older machines which don't do PMTUd, that
>>may not be an
>>option for you, though...)
>Here is really all that you need for your scrub rules.
>scrub in on $ext_if no-df
>scrub out on $ext_if random-id
>fragment-reassemble is default and does not need to be added.
>You really do not need to scrub packets on your internal LAN
>interfaces as it will slow you down.
>Here is a site for you which should offer a few tips and tricks.
I was actually the one that asked about this...not Chuck. But thanks
for the insight...it was good reading.
More information about the freebsd-questions