[Previous: Runtime Options] [Contents] [Next: Anchors]

PF: Scrub (Packet Normalization)

Table of Contents


"Scrubbing" is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations. A simple form of the scrub directive:
scrub in all

This will scrub all incoming packets on all interfaces.

One reason not to scrub on an interface is if one is passing NFS through PF. Some non-OpenBSD platforms send (and expect) strange packets -- fragmented packets with the "do not fragment" bit set, which are (properly) rejected by scrub. This can be resolved by use of the no-df option. Another reason is some multi-player games have connection problems passing through PF with scrub enabled. Other than these somewhat unusual cases, scrubbing all packets is a highly recommended practice.

The scrub directive syntax is very similar to the filtering syntax which makes it easy to selectively scrub certain packets and not others. The no keyword can be used in front of scrub to specify packets that will not be scrubbed. Just as with nat rules, the first matching rule wins.

More on the principle and concepts of scrubbing can be found in the Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics paper.


Scrub has the following options:
Clears the don't fragment bit from the IP packet header. Some operating systems are known to generate fragmented packets with the don't fragment bit set. This is particularly true with NFS. Scrub will drop such packets unless the no-df option is specified. Because some operating systems generate don't fragment packets with a zero IP identification header field, using no-df in conjunction with random-id is recommended.
Replaces the IP identification field of packets with random values to compensate for operating systems that use predictable values. This option only applies to packets that are not fragmented after the optional packet reassembly.
min-ttl num
Enforces a minimum Time To Live (TTL) in IP packet headers.
max-mss num
Enforces a maximum Maximum Segment Size (MSS) in TCP packet headers.
fragment reassemble
Buffers incoming packet fragments and reassembles them into a complete packet before passing them to the filter engine. The advantage is that filter rules only have to deal with complete packets and can ignore fragments. The drawback is the increased memory needed to buffer packet fragments. This is the default behavior when no fragment option is specified. This is also the only fragment option that works with NAT.
fragment crop
Causes duplicate fragments to be dropped and any overlaps to be cropped. Unlike fragment reassemble, fragments are not buffered but are passed on as soon as they arrive.
fragment drop-ovl
Similar to fragment crop except that all duplicate or overlapping fragments will be dropped as well as any further corresponding fragments.
reassemble tcp
Statefully normalizes TCP connections. When using scrub reassemble tcp, a direction (in/out) may not be specified. The following normalizations are performed:


scrub in on fxp0 all fragment reassemble min-ttl 15 max-mss 1400
scrub in on fxp0 all no-df
scrub    on fxp0 all reassemble tcp

[Previous: Runtime Options] [Contents] [Next: Anchors]

[back] www@openbsd.org
$OpenBSD: scrub.html,v 1.15 2008/07/30 10:35:44 nick Exp $