[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: no scrub reassemble tcp from foo to bar



On Thu, Oct 20, 2005 at 08:24:32AM -0400, Jon Hart wrote:
> On Wed, Oct 19, 2005 at 07:51:13PM -0600, jared r r spiegel wrote:
> > On Tue, Oct 18, 2005 at 11:50:41AM -0400, Jon Hart wrote:
> > 
> > > What I'd like is to disable scrub's tcp reassembly on per
> > > host/port/protol basis, something along the lines of:
> > > 
> > >    scrub all no-df random-id fragment reassemble reassemble tcp
> > >    no scrub inet proto tcp from any to $SAN_NET port 3260 reassemble tcp 
> > > 
> > > I'll bring up a test system to see if this is possible, but my question
> > > is will this get me what I want?  I want to do full scrubbing on all of
> > > my traffic except I don't want to do tcp reassembly on port 3260/tcp for
> > > a specific host.
> > 
> >   flip the order, no scrub first (normalization is like translation,
> >   first match).
> > 
> >   other than that, looks fine.
> 
> Great, I'll give it a shot.  The order makes sense as you've described,
> but... will this give me scrubbing on all traffic (including 3260/tcp),
> but do tcp reassembly on everything that isn't 3260/tcp?  
I've tried this out as suggested:
no scrub inet proto tcp from any to $SAN_NET port 3260 reassemble tcp
no scrub inet proto tcp from $SAN_NET to any port 3260 reassemble tcp
scrub all no-df random-id fragment reassemble reassemble tcp
The ruleset loads as expected but the initial problem still remains.
I did not have time to validate whether or not 3260/tcp was still having
'reassemble tcp' applied to it but I have plans to see whether or not
TCP timestamps are being munged which'll tell me for sure.
If anyone has any thoughts on this, I'm all ears.  When things calm down
a bit, I hope to get a test machine up to figure this out once and for
all.
Thanks!
-jon