Date: Sun, 29 Jan 2006 16:39:02 -0500 From: "Russell E. Meek" <rmeek@russellmeek.net> To: "J.D. Bronson" <jbronson@wixb.com>, freebsd-questions@freebsd.org Subject: Re: pf and scrubbing bubbles Message-ID: <43DD35F6.5080307@russellmeek.net> In-Reply-To: <7.0.1.0.2.20060129152112.012780f0@sixcompanies.com> References: <7.0.1.0.2.20060128070014.01282e00@sixcompanies.com> <43DB920A.40501@mac.com> <43DD262C.1060703@russellmeek.net> <7.0.1.0.2.20060129152112.012780f0@sixcompanies.com>
next in thread | previous in thread | raw e-mail | index | archive | help
J.D. Bronson wrote: > At 02:31 PM 1/29/2006, Russell E. Meek wrote: > >> Chuck Swiger wrote: >> >>> J.D. Bronson wrote: >>> >>> >>>> I am using this in my pf.conf (on 6.0) and was wondering if these >>>> settings >>>> are appropriate. >>>> >>>> While 'scrub' by itself is always recommended, I added a few more >>>> things >>>> that seem to ought to be there? >>>> >>>> I use this for all the NICs...WAN and LAN... >>>> with the exception to remove filtering on loopback: >>>> >>>> ======================================================= >>>> scrub all random-id reassemble tcp fragment reassemble >>>> no scrub on lo0 all >>>> ======================================================= >>>> >>>> anyone see any issues with this - especially since its on the WAN >>>> and LAN NICs? >>>> >>> >>> You're shifting a fair amount of workload onto the firewall by >>> requiring it to >>> re-write all of the packets to change the IPID field; it would be >>> highly >>> desirable to have NICs which can do hardware checksums. >>> >>> There's a potential for DoS'ing the firewall if it does fragment >>> reassembly, >>> modulo how well PF handles such fragmentation attacks. If you >>> permit Path MTU >>> discovery to function, blocking fragments entirely may be a more >>> reasonable >>> approach than trying to reassemble them on the firewall. >>> >>> (If you need to support older machines which don't do PMTUd, that >>> may not be an >>> option for you, though...) >>> >>> >> Chuck, >> >> Here is really all that you need for your scrub rules. >> >> ================================== >> scrub in on $ext_if no-df >> scrub out on $ext_if random-id >> ================================== >> >> Remember: >> >> fragment-reassemble is default and does not need to be added. >> >> You really do not need to scrub packets on your internal LAN >> interfaces as it will slow you down. >> >> Here is a site for you which should offer a few tips and tricks. >> >> https://www.solarflux.org/pf/pf-tips.php >> >> Thanks, >> >> Russell > > > > I was actually the one that asked about this...not Chuck. But thanks > for the insight...it was good reading. > > -JD > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" JD Sorry about that, wrong name. Russ
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43DD35F6.5080307>