[Previous: Options]
[Contents]
[Next: Queueing]
PF: Scrub
Table of Contents
Introduction
"Scrubbing" is the normalization of packets so there are no ambiguities
in interpretation by the ultimate destination of the packet. The scrub
directive also reassembles fragmented packets, protecting some operating
systems from some forms of attack, and drops TCP packets that have
invalid flag combinations. A simple
form of the scrub directive:
scrub in all
This will scrub all incoming packets on all interfaces.
One reason not to scrub on an interface is if one is passing NFS through
PF. Some non-OpenBSD platforms send (and expect) strange packets --
fragmented packets with the "do not fragment" bit set, which are
(properly) rejected by scrub. This can be resolved by use of the
no-df option. Another reason is some multi-player games have
connection problems passing through PF with scrub enabled.
Other than these somewhat unusual cases, scrubbing all packets is
highly recommended practice.
The scrub directive syntax is very similar to the
filtering syntax which makes it easy to
selectively scrub certain packets and not others.
More on the principle and concepts of scrubbing here:
http://www.icir.org/vern/papers/norm-usenix-sec-01-html/index.html
Options
Scrub has the following options:
- no-df
- Clears the don't fragment bit from the IP
packet header. Some operating systems are known to generate fragmented
packets with the don't fragment bit set. This is particularly
true with NFS. Scrub will drop such packets unless the
no-df option is specified. Because some operating systems
generate don't fragment packets with a zero IP identification
header field, using no-df in conjunction with random-id
is recommended.
- random-id
- Replaces the IP identification field of
outgoing packets with random values to compensate for operating systems
that use predictable values. This option only applies to outgoing
packets that are not fragmented after the optional packet reassembly.
- min-ttl num
- Enforces a minimum Time To Live (TTL)
in IP packet headers.
- max-mss num
- Enforces a maximum Maximum Segment
Size (MSS) in TCP packet headers.
- fragment reassemble
- Buffers incoming packet fragments and
reassembles them into a complete packet before passing them to the
filter engine. The advantage is that filter rules only have to deal
with complete packets and can ignore fragments. The drawback is the
increased memory needed to buffer packet fragments. This is the default
behavior when no fragment option is specified. This is also the
only fragment option that works with NAT.
- fragment crop
- Causes duplicate fragments to be dropped
and any overlaps to be cropped. Unlike fragment reassemble,
fragments are not buffered but are passed on as soon as they arrive.
- fragment drop-ovl
- Similar to fragment crop
except that all duplicate or overlapping fragments will be dropped as
well as any further corresponding fragments.
Example:
scrub in on fxp0 all fragment reassemble min-ttl 15 max-mss 1400
[Previous: Options]
[Contents]
[Next: Queueing]
www@openbsd.org
Originally [OpenBSD: scrub.html,v 1.6 ]
$Translation: scrub.html,v 1.2 2004/02/15 23:53:04 jufi Exp $
$OpenBSD: scrub.html,v 1.2 2004/02/16 00:29:50 jufi Exp $