[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Scrub and fragments



Hello everybody,
Can anyone please explain to me exactly what scrub
directives are supposed to do?
A while ago I've run into the following problem: I was
playing with an OpenBSD3.1 machine, trying to
understand how pf works. At some point I tried to
mount a directory from it, and that failed for no
apparent reason (actually, the mount itself worked,
but I couldn't save and close files).
After much head-scratching, I reduced the pf rule set
to
scrub in log all
scrub out log all
pass in all
pass out all
and at that point I started getting pf log lines like
this:
Nov 18 12:34:58.614117 rule 0/2(fragment): block in on
fxp1: 192.168.32.2 > 192.168.32.1: (frag
44100:1272@2960)
As it happens, some NFS packets are fragmented and the
"scrub in" directive was blocking the fragments.
I removed the scrub lines and it worked, but then I
tried the same NFS thing with a machine behind the
firewall and it failed again.
This time, it was because the NFS fragments were
passing through the firewall without being NATed, as
the full IP datagrams were, and this obviously
confused the server.
So it looks like pf on 3.1 can't handle fragments. Was
this fixed in 3.2?
And related to this, what exactly does "normalization"
mean? I thought scrub's main purpose was to to
defragmentation.
Best regards,
Dan.
__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com