[Previous: Runtime Options]
PF: Scrub (Packet Normalization)
Table of Contents
"Scrubbing" is the normalization of packets so there are no ambiguities
in interpretation by the ultimate destination of the packet. The scrub
directive also reassembles fragmented packets, protecting some operating
systems from some forms of attack, and drops TCP packets that have
invalid flag combinations. A simple
form of the scrub directive:
scrub in all
This will scrub all incoming packets on all interfaces.
One reason not to scrub on an interface is if one is passing NFS through
PF. Some non-OpenBSD platforms send (and expect) strange packets --
fragmented packets with the "do not fragment" bit set, which are
(properly) rejected by scrub. This can be resolved by use of the
no-df option. Another reason is some multi-player games have
connection problems passing through PF with scrub enabled.
Other than these somewhat unusual cases, scrubbing all packets is a
highly recommended practice.
The scrub directive syntax is very similar to the
filtering syntax which makes it easy to
selectively scrub certain packets and not others.
The no keyword can be used in front of scrub to
specify packets that will not be scrubbed.
Just as with nat rules, the first
matching rule wins.
More on the principle and concepts of scrubbing can be found in the
Network Intrusion Detection: Evasion, Traffic Normalization, and
End-to-End Protocol Semantics paper.
Scrub has the following options:
- Clears the don't fragment bit from the IP
packet header. Some operating systems are known to generate fragmented
packets with the don't fragment bit set. This is particularly
true with NFS. Scrub will drop such packets unless the
no-df option is specified. Because some operating systems
generate don't fragment packets with a zero IP identification
header field, using no-df in conjunction with random-id
- Replaces the IP identification field of
packets with random values to compensate for operating systems
that use predictable values. This option only applies to
packets that are not fragmented after the optional packet reassembly.
- min-ttl num
- Enforces a minimum Time To Live (TTL)
in IP packet headers.
- max-mss num
- Enforces a maximum Maximum Segment
Size (MSS) in TCP packet headers.
- fragment reassemble
- Buffers incoming packet fragments and
reassembles them into a complete packet before passing them to the
filter engine. The advantage is that filter rules only have to deal
with complete packets and can ignore fragments. The drawback is the
increased memory needed to buffer packet fragments. This is the default
behavior when no fragment option is specified. This is also the
only fragment option that works with NAT.
- fragment crop
- Causes duplicate fragments to be dropped
and any overlaps to be cropped. Unlike fragment reassemble,
fragments are not buffered but are passed on as soon as they arrive.
- fragment drop-ovl
- Similar to fragment crop
except that all duplicate or overlapping fragments will be dropped as
well as any further corresponding fragments.
- reassemble tcp
- Statefully normalizes TCP connections.
When using scrub reassemble tcp, a direction (in/out) may not
The following normalizations are performed:
- Neither side of the connection is allowed to reduce their
IP TTL. This is done to protect against an attacker sending a packet
such that it reaches the firewall, affects the held state
information for the connection, and expires before reaching the
destination host. The TTL of all packets is raised to the highest
value seen for the connection.
timestamps in TCP packet headers with a random number. This can
prevent an observer from deducing the uptime of the host or from
guessing how many hosts are behind a NAT gateway.
scrub in on fxp0 all fragment reassemble min-ttl 15 max-mss 1400
scrub in on fxp0 all no-df
scrub on fxp0 all reassemble tcp
[Previous: Runtime Options]
$OpenBSD: scrub.html,v 1.15 2008/07/30 10:35:44 nick Exp $