> Quite possibly the final word on the matter: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=58084
I may as well clarify the purpose of SCRUB to the masses since Niels seems to be on an extended hiatus rolling a few tanks into france or something. Scrub is not fragment reassembly. Scrub is traffic normalization. Traffic normalization is resolving traffic ambiguities when possible and blocking the ambiguous traffic when it cannot be resolved. It allows the view to passive systems behind the firewall to be consistent with what the end host sees. This guarantees that intrusion detection systems will operate in the presence of evasion without having to guess at the end hosts stack and their reassembly mechanisms. In the future, it will allow us to tighten up the state code in PF if we can be more certain that packets received by the firewall will be received by the end host. Why does scrub drop MF|DF fragments? Because it is not clear whether the end host will reassemble those packets. Some people consider fragments with the Don't Fragment bit set to be perfectly logical, others of us don't know what the hell it means. That folks, is an ambiguity and is exactly what the scrubber is tasked to prevent. Next show at eleven. .mike
