From owner-freebsd-questions@FreeBSD.ORG Sun Jan 29 21:21:46 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CFD716A420 for ; Sun, 29 Jan 2006 21:21:46 +0000 (GMT) (envelope-from jbronson@wixb.com) Received: from cheyenne.sixcompanies.com (cheyenne.sixcompanies.com [67.53.234.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42C2843D46 for ; Sun, 29 Jan 2006 21:21:45 +0000 (GMT) (envelope-from jbronson@wixb.com) Message-Id: <7.0.1.0.2.20060129152112.012780f0@sixcompanies.com> Date: Sun, 29 Jan 2006 15:21:44 -0600 To: "Russell E. Meek" From: "J.D. Bronson" In-Reply-To: <43DD262C.1060703@russellmeek.net> References: <7.0.1.0.2.20060128070014.01282e00@sixcompanies.com> <43DB920A.40501@mac.com> <43DD262C.1060703@russellmeek.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: freebsd-questions@freebsd.org Subject: Re: pf and scrubbing bubbles X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jan 2006 21:21:46 -0000 At 02:31 PM 1/29/2006, Russell E. Meek wrote: >Chuck Swiger wrote: > >>J.D. Bronson wrote: >> >> >>>I am using this in my pf.conf (on 6.0) and was wondering if these settings >>>are appropriate. >>> >>>While 'scrub' by itself is always recommended, I added a few more things >>>that seem to ought to be there? >>> >>>I use this for all the NICs...WAN and LAN... >>>with the exception to remove filtering on loopback: >>> >>>======================================================= >>>scrub all random-id reassemble tcp fragment reassemble >>>no scrub on lo0 all >>>======================================================= >>> >>>anyone see any issues with this - especially since its on the WAN >>>and LAN NICs? >>> >> >>You're shifting a fair amount of workload onto the firewall by >>requiring it to >>re-write all of the packets to change the IPID field; it would be highly >>desirable to have NICs which can do hardware checksums. >> >>There's a potential for DoS'ing the firewall if it does fragment reassembly, >>modulo how well PF handles such fragmentation attacks. If you >>permit Path MTU >>discovery to function, blocking fragments entirely may be a more reasonable >>approach than trying to reassemble them on the firewall. >> >>(If you need to support older machines which don't do PMTUd, that >>may not be an >>option for you, though...) >> >> >Chuck, > >Here is really all that you need for your scrub rules. > >================================== >scrub in on $ext_if no-df >scrub out on $ext_if random-id >================================== > >Remember: > >fragment-reassemble is default and does not need to be added. > >You really do not need to scrub packets on your internal LAN >interfaces as it will slow you down. > >Here is a site for you which should offer a few tips and tricks. > >https://www.solarflux.org/pf/pf-tips.php > >Thanks, > >Russell I was actually the one that asked about this...not Chuck. But thanks for the insight...it was good reading. -JD