Date: Sun, 29 Jan 2006 15:21:44 -0600 From: "J.D. Bronson" <jbronson@wixb.com> To: "Russell E. Meek" <rmeek@russellmeek.net> Cc: freebsd-questions@freebsd.org Subject: Re: pf and scrubbing bubbles Message-ID: <7.0.1.0.2.20060129152112.012780f0@sixcompanies.com> In-Reply-To: <43DD262C.1060703@russellmeek.net> References: <7.0.1.0.2.20060128070014.01282e00@sixcompanies.com> <43DB920A.40501@mac.com> <43DD262C.1060703@russellmeek.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 02:31 PM 1/29/2006, Russell E. Meek wrote: >Chuck Swiger wrote: > >>J.D. Bronson wrote: >> >> >>>I am using this in my pf.conf (on 6.0) and was wondering if these settings >>>are appropriate. >>> >>>While 'scrub' by itself is always recommended, I added a few more things >>>that seem to ought to be there? >>> >>>I use this for all the NICs...WAN and LAN... >>>with the exception to remove filtering on loopback: >>> >>>======================================================= >>>scrub all random-id reassemble tcp fragment reassemble >>>no scrub on lo0 all >>>======================================================= >>> >>>anyone see any issues with this - especially since its on the WAN >>>and LAN NICs? >>> >> >>You're shifting a fair amount of workload onto the firewall by >>requiring it to >>re-write all of the packets to change the IPID field; it would be highly >>desirable to have NICs which can do hardware checksums. >> >>There's a potential for DoS'ing the firewall if it does fragment reassembly, >>modulo how well PF handles such fragmentation attacks. If you >>permit Path MTU >>discovery to function, blocking fragments entirely may be a more reasonable >>approach than trying to reassemble them on the firewall. >> >>(If you need to support older machines which don't do PMTUd, that >>may not be an >>option for you, though...) >> >> >Chuck, > >Here is really all that you need for your scrub rules. > >================================== >scrub in on $ext_if no-df >scrub out on $ext_if random-id >================================== > >Remember: > >fragment-reassemble is default and does not need to be added. > >You really do not need to scrub packets on your internal LAN >interfaces as it will slow you down. > >Here is a site for you which should offer a few tips and tricks. > >https://www.solarflux.org/pf/pf-tips.php > >Thanks, > >Russell I was actually the one that asked about this...not Chuck. But thanks for the insight...it was good reading. -JD
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7.0.1.0.2.20060129152112.012780f0>