On Wed, Oct 19, 2005 at 07:51:13PM -0600, jared r r spiegel wrote: > On Tue, Oct 18, 2005 at 11:50:41AM -0400, Jon Hart wrote: > > > What I'd like is to disable scrub's tcp reassembly on per > > host/port/protol basis, something along the lines of: > > > > scrub all no-df random-id fragment reassemble reassemble tcp > > no scrub inet proto tcp from any to $SAN_NET port 3260 reassemble tcp > > > > I'll bring up a test system to see if this is possible, but my question > > is will this get me what I want? I want to do full scrubbing on all of > > my traffic except I don't want to do tcp reassembly on port 3260/tcp for > > a specific host. > > flip the order, no scrub first (normalization is like translation, > first match). > > other than that, looks fine.
Great, I'll give it a shot. The order makes sense as you've described, but... will this give me scrubbing on all traffic (including 3260/tcp), but do tcp reassembly on everything that isn't 3260/tcp? Thanks! -jon
