[Previous: Runtime Options] [Contents] [Next: Anchors and Named (Sub) Rulesets]

PF: Scrub (Packet Normalization)

Table of Contents

• Introduction
• Options

Introduction

scrub in all

This will scrub all incoming packets on all interfaces.

One reason not to scrub on an interface is if one is passing NFS through PF. Some non-OpenBSD platforms send (and expect) strange packets -- fragmented packets with the "do not fragment" bit set, which are (properly) rejected by scrub. This can be resolved by use of the no-df option. Another reason is some multi-player games have connection problems passing through PF with scrub enabled. Other than these somewhat unusual cases, scrubbing all packets is highly recommended practice.

The scrub directive syntax is very similar to the filtering syntax which makes it easy to selectively scrub certain packets and not others.

More on the principle and concepts of scrubbing can be found in the paper Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics.

Options

no-df

Clears the don't fragment bit from the IP packet header. Some operating systems are known to generate fragmented packets with the don't fragment bit set. This is particularly true with NFS. Scrub will drop such packets unless the no-df option is specified. Because some operating systems generate don't fragment packets with a zero IP identification header field, using no-df in conjunction with random-id is recommended.

random-id

Replaces the IP identification field of outgoing packets with random values to compensate for operating systems that use predictable values. This option only applies to outgoing packets that are not fragmented after the optional packet reassembly.

min-ttl num

Enforces a minimum Time To Live (TTL) in IP packet headers.

max-mss num

Enforces a maximum Maximum Segment Size (MSS) in TCP packet headers.

fragment reassemble

Buffers incoming packet fragments and reassembles them into a complete packet before passing them to the filter engine. The advantage is that filter rules only have to deal with complete packets and can ignore fragments. The drawback is the increased memory needed to buffer packet fragments. This is the default behavior when no fragment option is specified. This is also the only fragment option that works with NAT.

fragment crop

Causes duplicate fragments to be dropped and any overlaps to be cropped. Unlike fragment reassemble, fragments are not buffered but are passed on as soon as they arrive.

fragment drop-ovl

Similar to fragment crop except that all duplicate or overlapping fragments will be dropped as well as any further corresponding fragments.

reassemble tcp

Statefully normalizes TCP connections. When using scrub reassemble tcp, a direction (in/out) may not be specified. The following normalizations are performed:

• Neither side of the connection is allowed to reduce their IP TTL. This is done to protect against an attacker sending a packet such that it reaches the firewall, affects the held state information for the connection, and expires before reaching the destination host. The TTL of all packets is raised to the highest value seen for the connection.
• Modulate RFC1323 timestamps in TCP packet headers with a random number. This can prevent an observer from deducing the uptime of the host or from guessing how many hosts are behind a NAT gateway.

Examples:

scrub in on fxp0 all fragment reassemble min-ttl 15 max-mss 1400
scrub in on fxp0 all no-df
scrub    on fxp0 all reassemble tcp

[Previous: Runtime Options] [Contents] [Next: Anchors and Named (Sub) Rulesets]