Tom Eastep wrote: > No idea -- all I can find searching for 'pf+scrub' are reasons not to > use it.
The thing about PF scrubbing which I'm most interested in is fragment reassembly. I understand this can be achieved in iptables, for practical purposes, by invoking "connection tracking" (conntrack). Does that sound right? Is this something that is already done (or which can be enabled) in Shorewall? When I do "shorewall show capabilities" on my firewall (Debian Etch, 2.6.18-5-k7 kernel, running shorewall-perl 4.0.6), I do see a line that says "Connection Tracking Match: Available". Does that mean connection tracking is already happening by default on my system? Or do I need to do something explicit in my Shorewall configuration to enable it? -- Rich Wales === Palo Alto, CA, USA === [EMAIL PROTECTED] http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
