[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Scrub and fragments



On Mon, Nov 18, 2002 at 06:50:12AM -0800, Dan Moinescu wrote:
> I was indeed using a Linux box as the NFS client. But
> nonetheless, this means that if some Linux router or
> server out there decides to fragment a packet going to
> my OpenBSD box, that network connection will be
> corrupted, is that true?
Linux' NFS behavior has been the topic of previous discussion, please
see the linux-nfs mailing list archive for details:
  http://marc.theaimsgroup.com/?l=linux-nfs
The bottom line, so far, is that they think using DF is a good idea,
whereas we think it's not.
If you want such connections to pass through a pf firewall, you have to
disable scrubbing for them. You can enable scrubbing in general and
exclude specific protocols/ports using 'no scrub ...'.
Without packet reassembly done by scrub, however, you won't be able to
filter these connection statefully nor translate them (NAT).
Basically, translations require stateful filtering, which requires
reassembled packets, which requires scrub, which drops fragmented
packets with DF set. You can remove the DF check, if you want to give in
to Linux' point of view regarding this matter, but we won't change pf's
default behavior based on the discussions so far.
Daniel