Hello everybody, Can anyone please explain to me exactly what scrub directives are supposed to do?
A while ago I've run into the following problem: I was playing with an OpenBSD3.1 machine, trying to understand how pf works. At some point I tried to mount a directory from it, and that failed for no apparent reason (actually, the mount itself worked, but I couldn't save and close files). After much head-scratching, I reduced the pf rule set to scrub in log all scrub out log all pass in all pass out all and at that point I started getting pf log lines like this: Nov 18 12:34:58.614117 rule 0/2(fragment): block in on fxp1: 192.168.32.2 > 192.168.32.1: (frag 44100:1272@2960) As it happens, some NFS packets are fragmented and the "scrub in" directive was blocking the fragments. I removed the scrub lines and it worked, but then I tried the same NFS thing with a machine behind the firewall and it failed again. This time, it was because the NFS fragments were passing through the firewall without being NATed, as the full IP datagrams were, and this obviously confused the server. So it looks like pf on 3.1 can't handle fragments. Was this fixed in 3.2? And related to this, what exactly does "normalization" mean? I thought scrub's main purpose was to to defragmentation. Best regards, Dan. __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com
