You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Currently our default normalization practice is to add scrub to most interfaces, but not all. Which in some cases can lead to unexpected behavior as some virtual types (like enc0) are excluded, in which case fragment reassembly may be omitted (which is enabled by default when using scrub according to https://man.freebsd.org/cgi/man.cgi?pf.conf(5)).
The question is if the current "micro management" approach actually makes sense, as most examples start with scrub in all and the previous openbsd manual states "Other than these somewhat unusual cases, scrubbing all packets is highly recommended practice. "
When specific normalization rules are needed, in OPNsense it is already possible to define these first and optionally disable all automatic scrubbing.
Describe the solution you like
Refactor the current per interface option to always end with scrub in all when default scrubbing is not disabled, add the no-df and random-id when being asked (likely hardly used) and add the interface mss clamping rules before the generic scrub rule.
$scrubrules .= "scrub on {$scrubcfg['if']} inet all {$scrubnodf}{$scrubrnid}{$mssclampv4}\n";
$scrubrules .= "scrub on {$scrubcfg['if']} inet6 all {$scrubnodf}{$scrubrnid}{$mssclampv6}\n";
} else {
$scrubrules .= "scrub on {$scrubcfg['if']} all {$scrubnodf}{$scrubrnid}\n";
}
}
}
At first sight there don't seem to be downsides for not scrubbing traffic on outbound traffic, in which case it's likely a good idea to only add in by default.
Describe alternatives you considered
Leaving as is, knowing some vague reassemble issues will popup at some point for existing or new virtual interface types.
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
Currently our default normalization practice is to add
scrub
to most interfaces, but not all. Which in some cases can lead to unexpected behavior as some virtual types (likeenc0
) are excluded, in which case fragment reassembly may be omitted (which is enabled by default when using scrub according to https://man.freebsd.org/cgi/man.cgi?pf.conf(5)).The question is if the current "micro management" approach actually makes sense, as most examples start with
scrub in all
and the previous openbsd manual states "Other than these somewhat unusual cases, scrubbing all packets is highly recommended practice. "When specific normalization rules are needed, in OPNsense it is already possible to define these first and optionally disable all automatic scrubbing.
Describe the solution you like
Refactor the current per interface option to always end with
scrub in all
when default scrubbing is not disabled, add theno-df
andrandom-id
when being asked (likely hardly used) and add the interface mss clamping rules before the generic scrub rule.Point of reference:
core/src/etc/inc/filter.inc
Lines 564 to 589 in c7d6f53
At first sight there don't seem to be downsides for not scrubbing traffic on outbound traffic, in which case it's likely a good idea to only add
in
by default.Describe alternatives you considered
Leaving as is, knowing some vague reassemble issues will popup at some point for existing or new virtual interface types.
Additional context
The text was updated successfully, but these errors were encountered: