What -- if anything -- can I put in a Shorewall configuration to give me the same (or basically the same) traffic normalization functionality as the "scrub" command in NetBSD''s "pf" packet filter (e.g., "scrub in all" in /etc/pf.conf)? I''m currently using shorewall-perl 4.0.6 on a Debian Etch system. -- Rich Wales === Palo Alto, CA, USA === richw@richw.org http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Rich Wales wrote:> What -- if anything -- can I put in a Shorewall configuration to give me > the same (or basically the same) traffic normalization functionality as > the "scrub" command in NetBSD''s "pf" packet filter (e.g., "scrub in all" > in /etc/pf.conf)? >No idea -- all I can find searching for ''pf+scrub'' are reasons not to use it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> No idea -- all I can find searching for ''pf+scrub'' are reasons not to > use it.The thing about PF scrubbing which I''m most interested in is fragment reassembly. I understand this can be achieved in iptables, for practical purposes, by invoking "connection tracking" (conntrack). Does that sound right? Is this something that is already done (or which can be enabled) in Shorewall? When I do "shorewall show capabilities" on my firewall (Debian Etch, 2.6.18-5-k7 kernel, running shorewall-perl 4.0.6), I do see a line that says "Connection Tracking Match: Available". Does that mean connection tracking is already happening by default on my system? Or do I need to do something explicit in my Shorewall configuration to enable it? -- Rich Wales === Palo Alto, CA, USA === richw@richw.org http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Rich Wales wrote:> Tom Eastep wrote: > >> No idea -- all I can find searching for ''pf+scrub'' are reasons not to >> use it. > > The thing about PF scrubbing which I''m most interested in is fragment > reassembly. I understand this can be achieved in iptables, for practical > purposes, by invoking "connection tracking" (conntrack).Which Shorewall does unconditionally. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/