pf.conf reassemble and antispoof questions

I have been on OBSD 4.4 for a bit and had not really messed with pf.conf for
a while.

When I updated to 4.6 there were a couple of settings that seemed
ambiguous to me.

1) under Options, "set reassemble on". I know it is on by default but I got
a parsing
error when I tried it. I also found some man pages online that were missing
this
option however the man page in 4.6 does include it. So A) Is this supposed
to work
still? B) Is there a difference between setting "set reassemble on" in the
options vs.
"match in all scrub reassemble tcp"?

2)Using urpf-failed vs. antispoof. http://www.openbsd.org/faq/pf/filter.html
 says
"uRPF provides the same functionality as antispoof rules." Is it truly
identical?
I could not find anything in the man page that explicitly says the are
functionally
equivalent. Is there a reason to use one over the other... or will one be
deprecated?

Thanks!

* Robert Waite <winstonwaite@...> [2009-11-05 20:08]:
of course it works if you use it as written in the manpage. hint: the
value is not "on".

> still? B) Is there a difference between setting "set reassemble on" in the
> options vs.
> "match in all scrub reassemble tcp"?

yes, of course. and that is in the mnapage too... set reassemble only
affects fragments, the scrub option on rules has nothing to do with
fragments.

> 2)Using urpf-failed vs. antispoof. http://www.openbsd.org/faq/pf/filter.html
>  says
> "uRPF provides the same functionality as antispoof rules." Is it truly
> identical?
> I could not find anything in the man page that explicitly says the are
> functionally
> equivalent. Is there a reason to use one over the other... or will one be
> deprecated?

they are not identical, they can serve the same purpose.

--
Henning Brauer, hb@..., henning@...
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

On Fri, Nov 06, 2009 at 10:07:51AM +0100, Henning Brauer wrote:
well, it is actually what is written like that in the manpage.

Eric.

Index: pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.462
diff -u -r1.462 pf.conf.5
--- pf.conf.5 5 Nov 2009 16:01:36 -0000 1.462
+++ pf.conf.5 6 Nov 2009 09:31:59 -0000
@@ -1095,9 +1095,9 @@
 .Ar reassemble
 option is used to enable or disable the reassembly of fragmented packets,
 and can be set to
-.Ar on
+.Ar yes
 (the default) or
-.Ar off .
+.Ar no .
 If
 .Ar no-df
 is also specified, fragments with the

* Eric Faurot <eric@...> [2009-11-06 10:43]:
aye. that is.... bad. ok for the diff, commit

--
Henning Brauer, hb@..., henning@...
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting