PF Can't figure out "scrub" usage

l008com · 2026-03-07T23:49:21+0000

I recently learned about the scrub feature in pf, that sounds like a great thing to enable on my web server.

So I read all I can find about it, which is essentially just the same man paged reposted on the docs of every different bsd system that exists

Everything seems simple enough, but I can't get it to work! Every time I add scrub in all to my pf.conf, it gives me an error that Rules must be in order: options, normalization, queueing, translation, filtering.

I don't have that many rules. My setup is not very complicated yet everywhere I try to add scrubbing, causes this order syntax error.

Here's my full ruleset, its pretty short. Note that this is my local test server, hence the local IPs and rules that seem redundant. But on the real server, there are multiple physical connections and multiple IPs.

INI:

set skip on lo0

table <badhosts_a> persist
table <badhosts_b> persist

#scrub in all

block in quick from <badhosts_a> to any
block in quick from <badhosts_b> to any

block in all

pass in quick proto tcp from any to 172.16.2.16 port { 80 443 } keep state
pass in quick proto tcp from any to 172.16.2.16 port { 25 587 993 } keep state
pass in quick from 172.16.4.1/24 to any keep state

pass in quick proto icmp from any to any keep state
pass in quick proto esp from any to 172.16.2.16 keep state
pass in quick proto udp from any to 172.16.2.16 port { 500 1701 4500 } keep state

block in quick from 152.58.1.1/16


#Outbound traffic
pass out proto { tcp, udp, icmp } from any to any keep state

When its commented out, everything works great. When its not commented, anywhere I put it causes the order error.

Also as I look at my rules, near the bottom I'm blocking the 152.58 subnet. But all of the pass rules are "pass in quick" so that last block rule should never actually get triggered huh? Thats not related but just something I'm seeing now. I don't remember why I even put it in there, guess I'll remove that.

hedwards · 2026-03-08T00:19:56+0000

TBH, I still find this fairly confusing, but in this case, scrubbing is part of traffic normalization. Which should put the scrubbing after those blocking rules. The statement order is in the pf.conf man page.

It kind of makes sense as there's no reason to scrub packets that you're blocking.

atax1a · 2026-03-08T00:25:01+0000

be careful with the reassemble tcp option. it causes obscure timeouts.

l008com · 2026-03-08T00:46:09+0000

hedwards said:
TBH, I still find this fairly confusing, but in this case, scrubbing is part of traffic normalization. Which should put the scrubbing after those blocking rules. The statement order is in the pf.conf man page.

It kind of makes sense as there's no reason to scrub packets that you're blocking.

In the order list, "filtering" is the last step. Are pass and block not considered filtering?
Also I would think that it WOULD make sense to scrub a packet you're blocking, because if its a malformed packet, drop it as the scrub before bothering to run it through the filters? I guess either way could make sense depending on the kind of traffic you're getting. I'll go check that manpage again but I agree, its all very confusing.

hedwards · 2026-03-08T02:12:56+0000

l008com said:
In the order list, "filtering" is the last step. Are pass and block not considered filtering?
Also I would think that it WOULD make sense to scrub a packet you're blocking, because if its a malformed packet, drop it as the scrub before bothering to run it through the filters? I guess either way could make sense depending on the kind of traffic you're getting. I'll go check that manpage again but I agree, its all very confusing.

That is the part that confuses me. There is network filtering and there is packet filtering. And I struggle a bit to work out sometimes whether the filtering is being done at the network or the packet level. According to the man page, the scrubbing happens after the ethernet filtering and before the packet filtering.

atax1a · 2026-03-08T02:14:07+0000

put the scrub line before the table line. Scrubbing is "normalization" in the list there. I think table switches you into "filtering" state, and is thus causing your error.

hedwards · 2026-03-08T02:24:23+0000

atax1a said:
put the scrub line before the table line. Scrubbing is "normalization" in the list there. I think table switches you into "filtering" state, and is thus causing your error.

Thanks. The tables and macros are apparently a bit of an exception in terms of the order. For my own sanity, I tend to put the various stages into different files and just include them in the right order.

l008com · 2026-03-08T02:58:45+0000

atax1a said:
put the scrub line before the table line. Scrubbing is "normalization" in the list there. I think table switches you into "filtering" state, and is thus causing your error.

No change. Same error. "Rules must be in order: options, normalization, queueing, translation, filtering"

atax1a · 2026-03-08T03:56:40+0000

huh. i suppose this is what we get for only using scrub on openbsd.

/usr/share/examples/pf/pf.conf says:

Code:

#table <spamd-white> persist

#set skip on lo

#scrub in

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#block in
#pass out

#pass quick on $int_if no state
#antispoof quick for { lo $int_if }

#pass in on $ext_if proto tcp to ($ext_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
#pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex }

so, try that ordering: macros, tables, settings, scrubbing, rules. also use pfctl -vf /etc/pf.conf while loading it to make sure that it's erroring where you think it's erroring.