[ndbug] Question regarding PF scrub
Hrishikesh Murukkathampoondi
hrishim at gmail.com
Thu Dec 22 05:07:36 PST 2016
In many online examples of pf.conf I see this line:
match all scrub (no-df random-id max-mss 1440)
I am not familiar with TCP/IP or other protocols so I do not understand what the manual says. So I dont fully understand what this line does. Hoping someone more knowledgable will help me out
From the manual:
no-df - clears the “dont-fragment” bit from matching IPv4 packet. Some operating systems have NFS implementations which are known to generate fragmented packets with the “dont-fragment” bit set. pf(4) will drop such fragmented “dont-fragment” packets unless no-df is specified.
Unfortunately some operating systems also generate their “dont-fragment” packets with a zero IP identification field. Clearing the “dont-fragment” bit on packets with a zero IP ID may cause deleterious results if an upstream router later fragments the packet. Using random-id is recommended in combination with no-df to ensure unique IP identifiers.
random-id -
Replaces the IPv4 identification field with random values to compensate for predictable values generated by many hosts. This option only applies to packets that are not fragmented after the optional fragment reassembly.
max-mss - enforces a maximum segment size (MSS) for matching TCP packets
What I understand - PF does not like fragmented packets that have dont-fragment bit set. Some systems (non BSD I presume) create such traffic. This option fixes that issue.
Questions:
1. What are fragmented packets? I am guessing these are large data packets that are broken down into smaller ones
2. From this link https://tools.ietf.org/html/rfc6864 <https://tools.ietf.org/html/rfc6864> I am guessing that the IPv4 identification field is used for managing fragmentation and re-assembly of packets. If this field is set to a random value how will the reassembler know the correct order of packets?
3. What is segment size? Why should it be limited?
Hrishi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ndbug.in/mailman/private/talk/attachments/20161222/24881df7/attachment.html>
More information about the talk
mailing list