Hi, In
ipf firewall "
too short" option seems to be responsible for catching packets, which are too short to be real/compared. So I think, that the best would be to use the PF's "
scrubbing" options. Because
scrub rules allow you to decide how to handle packets, I think, that it
could be the answer to yours question.
Scrub rules also can perform other basic packet checking and manipulation. More info can be found here;
PF: Scrub (Packet Normalization).
By the way. Many informations about packets can be obtained by using the
pfctl(8) and
tcpdump(1) utilities. In
pfctl (especially
-s flag and
all/info options), beside the
short (shows how many unusually short packets were received) counter, there is also many others.
Just for example; use the
max-mss option included in
scrub, which defines the maximum packet size, which system is ready to accept and it's available as a one of many possibilities in packets/traffic normalization. You can adjust the maximum segment size of packets that pass through PF. I read once, that for most networks
The Maximum Message Segment Size option can be safely set to 1472 bytes. For example - It means, that (A.B.C.D) does not want to get more than 1472 bytes in a packet from the address (E.F.G.H). If you decide to use
max-mss option, please do it with
care and prudence!
Finally - You can always take advantage of
ipf firewall, which has very good documentation -
The IPFILTER (IPF) Firewall.
Oh, and one more thing -
please correct me, if I wrote stupidity!
