From owner-freebsd-questions@FreeBSD.ORG Sun Jan 29 21:39:03 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EC1B16A423 for ; Sun, 29 Jan 2006 21:39:03 +0000 (GMT) (envelope-from rmeek@russellmeek.net) Received: from aries.russellmeek.net (rrcs-67-79-176-182.se.biz.rr.com [67.79.176.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4BA243D55 for ; Sun, 29 Jan 2006 21:39:01 +0000 (GMT) (envelope-from rmeek@russellmeek.net) Received: (qmail 77311 invoked by uid 89); 29 Jan 2006 21:39:00 -0000 Received: by simscan 1.1.0 ppid: 75589, pid: 76407, t: 0.4760s scanners: attach: 1.1.0 clamav: 0.88/m:35/d:1254 spam: 3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on mx1.russellmeek.net X-Spam-Level: X-Spam-Status: No, score=-1.4 required=7.0 tests=ALL_TRUSTED autolearn=ham version=3.1.0 Received: from unknown (HELO ?192.172.1.115?) (rmeek@russellmeek.net@192.172.1.115) by mx1.russellmeek.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 29 Jan 2006 21:39:00 -0000 Message-ID: <43DD35F6.5080307@russellmeek.net> Date: Sun, 29 Jan 2006 16:39:02 -0500 From: "Russell E. Meek" User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "J.D. Bronson" , freebsd-questions@freebsd.org References: <7.0.1.0.2.20060128070014.01282e00@sixcompanies.com> <43DB920A.40501@mac.com> <43DD262C.1060703@russellmeek.net> <7.0.1.0.2.20060129152112.012780f0@sixcompanies.com> In-Reply-To: <7.0.1.0.2.20060129152112.012780f0@sixcompanies.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: pf and scrubbing bubbles X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jan 2006 21:39:03 -0000 J.D. Bronson wrote: > At 02:31 PM 1/29/2006, Russell E. Meek wrote: > >> Chuck Swiger wrote: >> >>> J.D. Bronson wrote: >>> >>> >>>> I am using this in my pf.conf (on 6.0) and was wondering if these >>>> settings >>>> are appropriate. >>>> >>>> While 'scrub' by itself is always recommended, I added a few more >>>> things >>>> that seem to ought to be there? >>>> >>>> I use this for all the NICs...WAN and LAN... >>>> with the exception to remove filtering on loopback: >>>> >>>> ======================================================= >>>> scrub all random-id reassemble tcp fragment reassemble >>>> no scrub on lo0 all >>>> ======================================================= >>>> >>>> anyone see any issues with this - especially since its on the WAN >>>> and LAN NICs? >>>> >>> >>> You're shifting a fair amount of workload onto the firewall by >>> requiring it to >>> re-write all of the packets to change the IPID field; it would be >>> highly >>> desirable to have NICs which can do hardware checksums. >>> >>> There's a potential for DoS'ing the firewall if it does fragment >>> reassembly, >>> modulo how well PF handles such fragmentation attacks. If you >>> permit Path MTU >>> discovery to function, blocking fragments entirely may be a more >>> reasonable >>> approach than trying to reassemble them on the firewall. >>> >>> (If you need to support older machines which don't do PMTUd, that >>> may not be an >>> option for you, though...) >>> >>> >> Chuck, >> >> Here is really all that you need for your scrub rules. >> >> ================================== >> scrub in on $ext_if no-df >> scrub out on $ext_if random-id >> ================================== >> >> Remember: >> >> fragment-reassemble is default and does not need to be added. >> >> You really do not need to scrub packets on your internal LAN >> interfaces as it will slow you down. >> >> Here is a site for you which should offer a few tips and tricks. >> >> https://www.solarflux.org/pf/pf-tips.php >> >> Thanks, >> >> Russell > > > > I was actually the one that asked about this...not Chuck. But thanks > for the insight...it was good reading. > > -JD > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" JD Sorry about that, wrong name. Russ