I've got a "situation" here where a particular vendor's IP stack doesn't seem to be totally RFC compliant. The right solution is to get their stack fixed but that takes time.
The problem is that when I turn on scrub's reassemble tcp option, i.e.: scrub all no-df random-id fragment reassemble reassemble tcp ... the vendor's stack has a hell of a time getting traffic reliably through the firewall -- TCP retransmits, tons of window resizes, duplicates, etc. I haven't dug into what in particular is causing these issues or what specifically about pf's reassemble tcp option is invoking this behaviour, but when I have this rule: scrub all no-df random-id fragment reassemble everything works perfectly. I will dig into this more later, but for now I need a work around. The above scrub rule works, but is not ideal. What I'd like is to disable scrub's tcp reassembly on per host/port/protol basis, something along the lines of: scrub all no-df random-id fragment reassemble reassemble tcp no scrub inet proto tcp from any to $SAN_NET port 3260 reassemble tcp I'll bring up a test system to see if this is possible, but my question is will this get me what I want? I want to do full scrubbing on all of my traffic except I don't want to do tcp reassembly on port 3260/tcp for a specific host. I must do the remaining scrub tasks as there are lots of fragments which aren't under my control. Thoughts? Thanks! -jon
