On Mon, 10 Feb 2003, Mike Frantzen wrote:
> > Quite possibly the final word on the matter:
> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=58084
>
> I may as well clarify the purpose of SCRUB to the masses since Niels
> seems to be on an extended hiatus rolling a few tanks into france or
> something.
>
> Scrub is not fragment reassembly.
> Scrub is traffic normalization.
>
> Traffic normalization is resolving traffic ambiguities when possible and
> blocking the ambiguous traffic when it cannot be resolved. It allows
> the view to passive systems behind the firewall to be consistent with
> what the end host sees. This guarantees that intrusion detection
> systems will operate in the presence of evasion without having to guess
> at the end hosts stack and their reassembly mechanisms. In the future,
> it will allow us to tighten up the state code in PF if we can be more
> certain that packets received by the firewall will be received by the
> end host.
>
> Why does scrub drop MF|DF fragments? Because it is not clear whether
> the end host will reassemble those packets. Some people consider
> fragments with the Don't Fragment bit set to be perfectly logical,
> others of us don't know what the hell it means. That folks, is an
> ambiguity and is exactly what the scrubber is tasked to prevent.
I agree that the default behaviour should be to drop fragments with DF.
But if you specify "scrub no-df" ("Clears the dont-fragment bit from a
matching ip packet.", taken from pf.conf(5)), the fragments should
reassembled and the DF bit should be cleared.
At the moment scrub test whether MF and DF are set, before trying to
reassemble. So fragments with DF get drop even if you specify "no-df" as
an option to scrub. Perhaps this should be changed.
Cheers,
Dries
--
Dries Schellekens
email: [EMAIL PROTECTED]
