From owner-freebsd-questions@FreeBSD.ORG Sun Jan 29 20:31:42 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABFF516A420 for ; Sun, 29 Jan 2006 20:31:42 +0000 (GMT) (envelope-from rmeek@russellmeek.net) Received: from aries.russellmeek.net (rrcs-67-79-176-182.se.biz.rr.com [67.79.176.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD29543D46 for ; Sun, 29 Jan 2006 20:31:41 +0000 (GMT) (envelope-from rmeek@russellmeek.net) Received: (qmail 38170 invoked by uid 89); 29 Jan 2006 20:31:40 -0000 Received: by simscan 1.1.0 ppid: 37125, pid: 37436, t: 0.4270s scanners: attach: 1.1.0 clamav: 0.88/m:35/d:1254 spam: 3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on mx1.russellmeek.net X-Spam-Level: X-Spam-Status: No, score=-1.4 required=7.0 tests=ALL_TRUSTED autolearn=ham version=3.1.0 Received: from unknown (HELO ?192.172.1.115?) (rmeek@russellmeek.net@192.172.1.115) by mx1.russellmeek.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 29 Jan 2006 20:31:40 -0000 Message-ID: <43DD262C.1060703@russellmeek.net> Date: Sun, 29 Jan 2006 15:31:40 -0500 From: "Russell E. Meek" User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Chuck Swiger , freebsd-questions@freebsd.org References: <7.0.1.0.2.20060128070014.01282e00@sixcompanies.com> <43DB920A.40501@mac.com> In-Reply-To: <43DB920A.40501@mac.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: pf and scrubbing bubbles X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jan 2006 20:31:42 -0000 Chuck Swiger wrote: >J.D. Bronson wrote: > > >>I am using this in my pf.conf (on 6.0) and was wondering if these settings >>are appropriate. >> >>While 'scrub' by itself is always recommended, I added a few more things >>that seem to ought to be there? >> >>I use this for all the NICs...WAN and LAN... >>with the exception to remove filtering on loopback: >> >>======================================================= >>scrub all random-id reassemble tcp fragment reassemble >>no scrub on lo0 all >>======================================================= >> >>anyone see any issues with this - especially since its on the WAN >>and LAN NICs? >> >> > >You're shifting a fair amount of workload onto the firewall by requiring it to >re-write all of the packets to change the IPID field; it would be highly >desirable to have NICs which can do hardware checksums. > >There's a potential for DoS'ing the firewall if it does fragment reassembly, >modulo how well PF handles such fragmentation attacks. If you permit Path MTU >discovery to function, blocking fragments entirely may be a more reasonable >approach than trying to reassemble them on the firewall. > >(If you need to support older machines which don't do PMTUd, that may not be an >option for you, though...) > > > Chuck, Here is really all that you need for your scrub rules. ================================== scrub in on $ext_if no-df scrub out on $ext_if random-id ================================== Remember: fragment-reassemble is default and does not need to be added. You really do not need to scrub packets on your internal LAN interfaces as it will slow you down. Here is a site for you which should offer a few tips and tricks. https://www.solarflux.org/pf/pf-tips.php Thanks, Russell