pf and scrubbing bubbles

[J.D. Bronson]

At 02:31 PM 1/29/2006, Russell E. Meek wrote:
>Chuck Swiger wrote:
>
>>J.D. Bronson wrote:
>>
>>
>>>I am using this in my pf.conf (on 6.0) and was wondering if these settings
>>>are appropriate.
>>>
>>>While 'scrub' by itself is always recommended, I added a few more things
>>>that seem to ought to be there?
>>>
>>>I use this for all the NICs...WAN and LAN...
>>>with the exception to remove filtering on loopback:
>>>
>>>=======================================================
>>>scrub all random-id reassemble tcp fragment reassemble
>>>no scrub on lo0 all
>>>=======================================================
>>>
>>>anyone see any issues with this - especially since its on the WAN
>>>and LAN NICs?
>>>
>>
>>You're shifting a fair amount of workload onto the firewall by 
>>requiring it to
>>re-write all of the packets to change the IPID field; it would be highly
>>desirable to have NICs which can do hardware checksums.
>>
>>There's a potential for DoS'ing the firewall if it does fragment reassembly,
>>modulo how well PF handles such fragmentation attacks.  If you 
>>permit Path MTU
>>discovery to function, blocking fragments entirely may be a more reasonable
>>approach than trying to reassemble them on the firewall.
>>
>>(If you need to support older machines which don't do PMTUd, that 
>>may not be an
>>option for you, though...)
>>
>>
>Chuck,
>
>Here is really all that you need for your scrub rules.
>
>==================================
>scrub in on $ext_if no-df
>scrub out on $ext_if random-id
>==================================
>
>Remember:
>
>fragment-reassemble is default and does not need to be added.
>
>You really do not need to scrub packets on your internal LAN 
>interfaces as it will slow you down.
>
>Here is a site for you which should offer a few tips and tricks.
>
>https://www.solarflux.org/pf/pf-tips.php
>
>Thanks,
>
>Russell


I was actually the one that asked about this...not Chuck. But thanks 
for the insight...it was good reading.

-JD