# IPF rule "with short" in PF



## zgabe (Jul 13, 2011)

Hi,

Is there any rule in PF which has similar function to "with short" in IPF.
PF.CONF(5) does not mention short fragments.

Br,
zgabe


----------



## francis (Jul 17, 2011)

Hi, In ipf firewall "*too short*" option seems to be responsible for catching packets, which are too short to be real/compared. So I think, that the best would be to use the PF's "_scrubbing_" options. Because scrub rules allow you to decide how to handle packets, I think, that it *could be* the answer to yours question. Scrub rules also can perform other basic packet checking and manipulation. More info can be found here; PF: Scrub (Packet Normalization). 
By the way. Many informations about packets can be obtained by using the pfctl(8) and tcpdump(1) utilities. In pfctl (especially *-s* flag and *all*/*info* options), beside the short (shows how many unusually short packets were received) counter, there is also many others.

Just for example; use the max-mss option included in scrub, which defines the maximum packet size, which system is ready to accept and it's available as a one of many possibilities in packets/traffic normalization. You can adjust the maximum segment size of packets that pass through PF. I read once, that for most networks The Maximum Message Segment Size option can be safely set to 1472 bytes. For example - It means, that (A.B.C.D) does not want to get more than 1472 bytes in a packet from the address (E.F.G.H). If you decide to use max-mss option, please do it with care and prudence!

Finally - You can always take advantage of ipf firewall, which has very good documentation - The IPFILTER (IPF) Firewall. 
Oh, and one more thing - *please correct me, if I wrote stupidity!*


----------



## zgabe (Jul 18, 2011)

Hi,

Thank you for your answer. It is really correct and detailed. I am going to read the advised topics and I will post my comments or problems.

BR,
zgabe


----------

