Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 28 Jan 2006 10:47:22 -0500
From:      Chuck Swiger <cswiger@mac.com>
To:        "J.D. Bronson" <jbronson@wixb.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: pf and scrubbing bubbles
Message-ID:  <43DB920A.40501@mac.com>
In-Reply-To: <7.0.1.0.2.20060128070014.01282e00@sixcompanies.com>
References:  <7.0.1.0.2.20060128070014.01282e00@sixcompanies.com>

next in thread | previous in thread | raw e-mail | index | archive | help
J.D. Bronson wrote:
> I am using this in my pf.conf (on 6.0) and was wondering if these settings
> are appropriate.
> 
> While 'scrub' by itself is always recommended, I added a few more things
> that seem to ought to be there?
> 
> I use this for all the NICs...WAN and LAN...
> with the exception to remove filtering on loopback:
> 
> =======================================================
> scrub all random-id reassemble tcp fragment reassemble
> no scrub on lo0 all
> =======================================================
> 
> anyone see any issues with this - especially since its on the WAN
> and LAN NICs?

You're shifting a fair amount of workload onto the firewall by requiring it to
re-write all of the packets to change the IPID field; it would be highly
desirable to have NICs which can do hardware checksums.

There's a potential for DoS'ing the firewall if it does fragment reassembly,
modulo how well PF handles such fragmentation attacks.  If you permit Path MTU
discovery to function, blocking fragments entirely may be a more reasonable
approach than trying to reassemble them on the firewall.

(If you need to support older machines which don't do PMTUd, that may not be an
option for you, though...)

-- 
-Chuck



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43DB920A.40501>