PF Scrub: Normalization question.

Hello guys and gals, I tried these in VirtualBox running FreeBSD and they both work; but I not 100% clear on which to use for a stand-alone FreeBSD workstation. I kind of figure that the first one would be used for networking on a LAN of the Normalization statement scrub all, possibly meaning in on all interfaces (but without the in as the OpenBSD PF manual say but only scrub all work for FreeBSD, but I’m not 100% sure of that either.

I also wonder why the first one use the keyword tcp and the other does not? … Are my comments concerning direction correct? I know my questions may be confusing but if you read into the links below: keyword scrub and pass on (scrub on hint to me) for the first link you’ll know what I mean. The tiny differences in each may need to be sorted into one that makes it clear for FreeBSD. I’m not sure, so I ask.
Code:
scrub out on …. allow out only
scrub  on … allow in and out
Which of these is more correct for a desktop/workstation?
Code:
scrub all no-df random-id min-ttl 5 max-mss 1440 reassemble tcp	# in on all interfaces
scrub out on $ext_if no-df random-id				# out only
scrub    on $ext_if all reassemble tcp				# in and out
Code:
scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400	# in on host interfaces
scrub in on $ext_if all no-df					        # in only
scrub    on $ext_if all reassemble tcp				        # in and out
https://srobb.net/pf.html
http://ftp.tuwien.ac.at/.vhost/www.openbsd.org/www/faq/pf/scrub.html
https://forums.freebsd.org/threads/24215/
 
I wonder if this only effect Windows and Linux type firewalls and not BSD pf. Since reading some into this link my XP guest inside Virtualbox will finally be history, at least using it on the INTERNET. It don't seem that Libreoffice or any other will ever replace MsOffice and Adobe off-line.

http://arstechnica.com/security/201...ack-nsa-tied-hackers-posts-exploits-as-proof/

My main concern was the use of random-id:
Code:
scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
scrub in on $ext_if all no-df random-id
scrub    on $ext_if all reassemble tcp
I included random-id. It don't seem to be common place here but it gave me no error on my stand-along workstation. I hate being blind, just cut-and-pasting everything without questioning whats seem strange. But I guest in this case if it don't break anything, it be that last thing to ride without complete or decent knowledge of what I'm doing.
 
For a simple end point (i.e. a system which is not a router/gateway/firewall), I would lose most of the above. Add net.inet.ip.random_id=1 to /etc/sysctl.conf to get random IDs on packets you generate (it's pointless doing it on inbound traffic when you are not going to forward the traffic over an insecure network). Don't mess with MSS unless you have a reason to do so (such as a less than 1500 MTU on your WAN link). Min-ttl is pointless on an end point. Clearing DF is going to break path MTU discovery, which is a useful feature for TCP performance and avoiding generating fragments, and may isolate you from some remote systems/networks which handle fragments badly.

Unless you actually have a good reason to enable something else, I would reduce it to a simple scrub in on $ext_if all fragment reassemble, which actually does do something useful for an end point system which is filtering inbound packets.

PF (and the other firewalls, and Unix networking in general) gives you lots of interesting looking switches. In general, don't go turning all of them on without a reasonably strong reason for each. Many of the switches only make sense on a system which is forwarding packets for other systems (i.e. router/gateway/firewall, not a system which is only filtering its own traffic).

As far as OpenBSD docs go, FreeBSD's PF is from OpenBSD 4.x and does not support syntax changes made in OpenBSD 5.x. I.e. many more recent things written about OpenBSD PF may have issues on FreeBSD. FreeBSD's PF is essentially a fork, and no longer directly pulls anything in from upstream.
 
I search long and hard for additional information that most FreeBSD how-to do not provide. I have never found much; then when I give up, I find the real details here at this forum under another subject by accident, if not, it'll be in a single blog in the entire google universe. Your reply resonates years of hands on experience and it explains a lot for me. I can see it adding vision to many other questions. Thank you very much Murph for painting such a magnificent picture of where and why things work behind the scene. I can see it, but there is one more thing I need to be sure of for now:

Do it make since to use this list of runtime options in my case? Are they in proper order? Is anything missing? This is for a standalone machine with Virtualbox FreeBSD guest (web-connected) and a few Jails on the host - devel. It seem to be secure for web development. It is not on a network but it does go thru a VPN for surfing the Internet, and will eventually be used to connect to a VPS at Digital Ocean and a dedicated server OVH. They both are dirt-cheap compare to the yesteryears.

I always wonder if set skip on lo0 was in the correct position or if it should be included at all. My web development environment is done on the host in a few jails 10.0.0.1.
Code:
set optimization aggressive  
set block-policy drop
set state-policy if-bound
set loginterface $ext_if
set skip on lo0

scrub in on $ext_if all fragment reassemble
# scrub reassemble tcp
I placed this line in sysctl.conf
Code:
net.inet.ip.random_id=1
That’s it … Thanks for all.
 
Never mind, I found my problem. I been trying to figure why I end up with the same information when I do searches. Now I see. Before I tried FreeBSD I tried reading technical docs but they only left me hanging so I join this forum. Since day one I learn to rely on real-life users , members this forum and blogs about FreeBSD. Today, I read a bunch of wiki’s about PF and now I understand them. Imagine being clueless and people of computer science caliber share with you like you were one of them. Nothing been more awesome than that, but it took Murph reply to wake me up (how could one person be that deep in so many areas other than SirDice and wblock), now those high-tech docs seems so simple. I should have been on the ball long ago but better late than never, I’m glad. Anyway thanks again …. it’s Wiki time :)
 
Back
Top