At 02:31 PM 1/29/2006, Russell E. Meek wrote:
Chuck Swiger wrote:
J.D. Bronson wrote:
I am using this in my pf.conf (on 6.0) and was wondering if these settings
are appropriate.
While 'scrub' by itself is always recommended, I added a few more things
that seem to ought to be there?
I use this for all the NICs...WAN and LAN...
with the exception to remove filtering on loopback:
=======================================================
scrub all random-id reassemble tcp fragment reassemble
no scrub on lo0 all
=======================================================
anyone see any issues with this - especially since its on the WAN
and LAN NICs?
You're shifting a fair amount of workload onto the firewall by
requiring it to
re-write all of the packets to change the IPID field; it would be highly
desirable to have NICs which can do hardware checksums.
There's a potential for DoS'ing the firewall if it does fragment reassembly,
modulo how well PF handles such fragmentation attacks. If you
permit Path MTU
discovery to function, blocking fragments entirely may be a more reasonable
approach than trying to reassemble them on the firewall.
(If you need to support older machines which don't do PMTUd, that
may not be an
option for you, though...)
Chuck,
Here is really all that you need for your scrub rules.
==================================
scrub in on $ext_if no-df
scrub out on $ext_if random-id
==================================
Remember:
fragment-reassemble is default and does not need to be added.
You really do not need to scrub packets on your internal LAN
interfaces as it will slow you down.
Here is a site for you which should offer a few tips and tricks.
https://www.solarflux.org/pf/pf-tips.php
Thanks,
Russell
I was actually the one that asked about this...not Chuck. But thanks
for the insight...it was good reading.
-JD
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
