From owner-freebsd-questions@FreeBSD.ORG Sat Jan 28 15:47:20 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 934B816A420 for ; Sat, 28 Jan 2006 15:47:20 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F02043D45 for ; Sat, 28 Jan 2006 15:47:20 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 85C1E5DAB; Sat, 28 Jan 2006 10:47:19 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95283-08; Sat, 28 Jan 2006 10:47:18 -0500 (EST) Received: from [192.168.1.3] (pool-68-160-211-174.ny325.east.verizon.net [68.160.211.174]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 873AD5D21; Sat, 28 Jan 2006 10:47:18 -0500 (EST) Message-ID: <43DB920A.40501@mac.com> Date: Sat, 28 Jan 2006 10:47:22 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: "J.D. Bronson" References: <7.0.1.0.2.20060128070014.01282e00@sixcompanies.com> In-Reply-To: <7.0.1.0.2.20060128070014.01282e00@sixcompanies.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-questions@freebsd.org Subject: Re: pf and scrubbing bubbles X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jan 2006 15:47:20 -0000 J.D. Bronson wrote: > I am using this in my pf.conf (on 6.0) and was wondering if these settings > are appropriate. > > While 'scrub' by itself is always recommended, I added a few more things > that seem to ought to be there? > > I use this for all the NICs...WAN and LAN... > with the exception to remove filtering on loopback: > > ======================================================= > scrub all random-id reassemble tcp fragment reassemble > no scrub on lo0 all > ======================================================= > > anyone see any issues with this - especially since its on the WAN > and LAN NICs? You're shifting a fair amount of workload onto the firewall by requiring it to re-write all of the packets to change the IPID field; it would be highly desirable to have NICs which can do hardware checksums. There's a potential for DoS'ing the firewall if it does fragment reassembly, modulo how well PF handles such fragmentation attacks. If you permit Path MTU discovery to function, blocking fragments entirely may be a more reasonable approach than trying to reassemble them on the firewall. (If you need to support older machines which don't do PMTUd, that may not be an option for you, though...) -- -Chuck