Hi all, A few questions about the operation of pf scrub options in OpenBSD 5.3:
1. In 2010 Henning advised against the use of "reassemble tcp" (link below). Is this advice still applicable and what are the known issues that this option may cause in the current implementation? http://marc.info/?l=openbsd-misc&m=126343406308201&w=2 2. Am I correct in assuming that the following example ruleset would be more efficient (and work the same way) if the 'match on LAN' rule was removed, or if scrubbing was only done for inbound packets (match in ...)? match on WAN scrub (no-df random-id) match on LAN scrub (no-df random-id) pass I'm trying to figure out exactly when options like "random-id" and "reassemble tcp" are applied. My current understanding is that a packet passing from LAN to WAN with the above ruleset will have its id randomized twice, and the same thing will happen for any returning packet that matches the two state entries. If I change both match rules to 'match in ...', then packets in both directions are scrubbed just once, but the returning packets are scrubbed as they leave the firewall instead of when they are first received. Is all of that right? If so, does it actually matter that the returning packets are not scrubbed when they are first received? For example, if "reassemble tcp" or "min-ttl" options are used and the other side lowers its TTL value to the point where the response packet expires upon reaching the firewall, then the TTL check will have no effect, since the OS wouldn't forward the packet to the outbound interface or run the second state check. - Max
