Mike Frantzen wrote:
Perfect, so following your argumentation here, scrub should "normalize" the packets toQuite possibly the final word on the matter:I may as well clarify the purpose of SCRUB to the masses since Niels
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=58084
seems to be on an extended hiatus rolling a few tanks into france or
something.
Scrub is not fragment reassembly.
Scrub is traffic normalization.
Traffic normalization is resolving traffic ambiguities when possible and
blocking the ambiguous traffic when it cannot be resolved. It allows
the view to passive systems behind the firewall to be consistent with
what the end host sees. This guarantees that intrusion detection
systems will operate in the presence of evasion without having to guess
at the end hosts stack and their reassembly mechanisms. In the future,
it will allow us to tighten up the state code in PF if we can be more
certain that packets received by the firewall will be received by the
end host.
Why does scrub drop MF|DF fragments? Because it is not clear whether
the end host will reassemble those packets.
Some people consider
fragments with the Don't Fragment bit set to be perfectly logical,
others of us don't know what the hell it means. That folks, is an
ambiguity and is exactly what the scrubber is tasked to prevent.
ensure "the end host will reassemble those packets"
That mean to me:
1) Reassemble the packet
2) *Remove* the DF bit (since PMTU will stop here anyway)
3) Send it to the new host (possibly refragmenting it, but *without* the DF)
Or am I missing something?
BTW, if the "end host" is "this host" (like in my NFS case) there is no ambiguities,
we know we do accept theses packets.
Cedric
