In PF versions up to OpenBSD 4.5 inclusive, scrub is a keyword which enables network packet normalization, causing fragmented packets to be assembled and removing ambiguity. Enabling scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments. A number of supplementing options are available, but we choose the simplest form which is suitable for most configurations.

scrub in all

Some services, such as NFS, require some specific fragment handling options. This is extensively documented in the PF user guide and man pages provide all the information you could need.

In OpenBSD 4.6, scrub was demoted from standalone rule material to become an action you could attach to pass or match rules (the introduction of match rules being one of the main new features in OpenBSD 4.6). You should also note that for the new scrub syntax, you need to supply at least one option in brackets. The following works quite well for several networks in my care:

match in all scrub (no-df max-mss 1440)

meaning, we clear the do not fragment bit and set the maximum segment size to 1440 bytes. Other variations are possible, and even though the list of scrub options shrank somewhat for the OpenBSD 4.6 version, you should be able to cater to various specific needs by consulting the man pages and some experimentation.