Hi,
I have just upgraded a firewall and had an issue as I was trying to
using older pf.conf syntax for scub - yes i should have checked the man
pages rather than the site, i think the pf webpage/faq
http://www.openbsd.org/faq/pf/scrub.html needs to have the following
removed - based on info from http://www.openbsd.org/faq/upgrade46.html#newPF
fragment crop
Causes duplicate fragments to be dropped and any overlaps to be
cropped. Unlike fragment reassemble, fragments are not buffered but
are passed on as soon as they arrive.
fragment drop-ovl
Similar to fragment crop except that all duplicate or overlapping
fragments will be dropped as well as any further corresponding
fragments.
Also the examples need to be updated - im not a pf expert but at a stab:
set reassemble yes
match in on fxp0 all scrub (min-ttl 15 max-mss 1400)
match in all scrub (no-df max-mss 1400)
set reassemble yes
match in on fxp0 all scrub
Cheers I hope this helps someone from not chasing their tail and left
head scratching,
Mike.
