On Wed, Jul 31, 2024, at 6:10 PM, Marcus Oldman wrote:
> I have an OpenBSD router at home that uses a few PF lines like the following:
>
> match in all scrub (no-df random-id reassemble tcp)
> (...)
> pass out quick inet modulate state
>
> I've read the pf.conf man page and have a mild understanding of the
> "random-id" and "modulate state" bits, but still don't fully understand
> when and why they should be used or not used.
>
> The router is in front of a mix of devices and different OSes. Should I
> be using these 2 features for security purposes?
There's nothing wrong with them, even if the devices behind your firewall are modern and less likely to benefit from them. The pf.conf man page will better explain the pros/cons than I could here.
> I'm trying to diagnose some slowness and inconsistency in my home
> internet and didn't know if these might be slowing things down. The
> hardware is just an APU2, so nothing very powerful. Less than 1gbit
> connection.
I would remove 'reassemble tcp'. I've found it causes more problems than it solves.
Brian Conway
Owner
RCE Software, LLC
No comments:
Post a Comment