Hello all,
maybe it is a misconfiguration on my part but i believe the recently
added option to scrub (no) is not working as expected.
We all know the problem with Linux NFS traffic passing over an OpenBSD
box. The no scrub directive gives an excellent opportunity to scrub
everything BUT the nfs traffic for your interfaces. That is particularly
essential for setups where the clients are not so 'trusted'.
In my case, there are two internal interfaces: A and B.
A Small (and ugly as always) 'graph':
[LAN A] --------- {A} Obsd 3.7 {B} ----------- [LAB B]
=== ====
/ = \ /
/ \ /
C1 C2 S_NFS
C1/C2 == clients
S_NFS = NFS SERVER.
Up to this moment, no traffic normalization was enforced for any of the
two interfaces {A,B}. The idea is simple.
(a) create a no scrub rule matching the traffic from the NFS server (LAN
B) to the clients LAN(B).
(b) start scrubbing on the internal interfaces for the rest of the traffic.
Relevant rules:
# Do not scrub in any direction on INT B for our nfs server
no scrub on $int_b from $LAB_NFS_SERVERS to any
no scrub on $int_b from any to $LAB_NFS_SERVERS
# Scrub on all interfaces
scrub in all
scrub out all
All the obvious combinations of the no scrub rule (in/out) were
attempted. The scrub out no-df remedy (as mentioned in the pf FAQ) never
worked for me.
Any comments are welcomed.
Thank you for time,
MzOzD
