pf and scrubbing bubbles

Russell E. Meek rmeek at russellmeek.net
Sun Jan 29 13:39:03 PST 2006 

J.D. Bronson wrote:

> At 02:31 PM 1/29/2006, Russell E. Meek wrote:
>
>> Chuck Swiger wrote:
>>
>>> J.D. Bronson wrote:
>>>
>>>
>>>> I am using this in my pf.conf (on 6.0) and was wondering if these 
>>>> settings
>>>> are appropriate.
>>>>
>>>> While 'scrub' by itself is always recommended, I added a few more 
>>>> things
>>>> that seem to ought to be there?
>>>>
>>>> I use this for all the NICs...WAN and LAN...
>>>> with the exception to remove filtering on loopback:
>>>>
>>>> =======================================================
>>>> scrub all random-id reassemble tcp fragment reassemble
>>>> no scrub on lo0 all
>>>> =======================================================
>>>>
>>>> anyone see any issues with this - especially since its on the WAN
>>>> and LAN NICs?
>>>>
>>>
>>> You're shifting a fair amount of workload onto the firewall by 
>>> requiring it to
>>> re-write all of the packets to change the IPID field; it would be 
>>> highly
>>> desirable to have NICs which can do hardware checksums.
>>>
>>> There's a potential for DoS'ing the firewall if it does fragment 
>>> reassembly,
>>> modulo how well PF handles such fragmentation attacks.  If you 
>>> permit Path MTU
>>> discovery to function, blocking fragments entirely may be a more 
>>> reasonable
>>> approach than trying to reassemble them on the firewall.
>>>
>>> (If you need to support older machines which don't do PMTUd, that 
>>> may not be an
>>> option for you, though...)
>>>
>>>
>> Chuck,
>>
>> Here is really all that you need for your scrub rules.
>>
>> ==================================
>> scrub in on $ext_if no-df
>> scrub out on $ext_if random-id
>> ==================================
>>
>> Remember:
>>
>> fragment-reassemble is default and does not need to be added.
>>
>> You really do not need to scrub packets on your internal LAN 
>> interfaces as it will slow you down.
>>
>> Here is a site for you which should offer a few tips and tricks.
>>
>> https://www.solarflux.org/pf/pf-tips.php
>>
>> Thanks,
>>
>> Russell
>
>
>
> I was actually the one that asked about this...not Chuck. But thanks 
> for the insight...it was good reading.
>
> -JD
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"

JD

Sorry about that, wrong name.

Russ

More information about the freebsd-questions mailing list