[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf: to scrub or not to scrub?



On Wed, Jul 24, 2002 at 06:38:10PM -0700, Paul B. Henson wrote:
> I'm trying to determine what the general wisdom is regarding whether or not
> to scrub on a 3.1-stable pf system.
> 
> 
> according to the current FAQ:
> 
> 	As this does put additional load on the system, there is no reason
> 	to use this command unless this system is protecting a device with
> 	a poor TCP/IP implementation.

if that part is not about modulate-state, i'm going to shoot Nick. But I'm
pretty sure it is about modulate-state.

> according to the current how-to:
> 
> 	Using the scrub directive uses quite an amount of server resources,
> 	so its use should be limited to protecting only the weak TCP/IP
> 	stack implementations.

what for a howto?

> the man page in -stable doesn't really give a recommendation, while the man
> page in -current advises:
> 
> 	In most cases, the benefits of reassembly outweigh the additional
> 	memory cost, and it's recommended to use scrub rules to reassemble
> 	all fragments.

YES. YES YES YES YES YES.

> I was unable to find any relevant discussion in the mailing list archives,
> although the commit logs in CVS appear to indicate a preference for using
> scrub.

absolutely. use scrub. 

> Thoughts? 

the 3rd party howto is incorrect, your quoting the faq out of context, and
the weather here could be better. aside from that, my ability to think is
limited before coffee.

> Is the FAQ/how-to out of date, or are there some changes in
> -current such that scrub is recommended, but is not recommended for older
> versions?

scrub is and always was recommended.

-- 
http://2suck.net/hhwl.html
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)



Visit your host, monkey.org