udp fragmentation
Max Laier
max at love2party.net
Wed May 30 14:02:16 UTC 2007
Hi Hugo,
On Tuesday 29 May 2007 00:42, Hugo Koji Kobayashi wrote:
> While making some tests with fragmented udp DNS responses (with
> EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and
> 7.0 (200705 snapshot).
>
> Our test is a DNS query to an DNSSEC enabled server which replies with
> a ~4KB udp response. We do this with the following dig command:
>
> dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0
>
> pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS queries
> timeout. Disabling the firewall, complete replies are received with no
> problem. The same test was run on an OpenBSD 4.1 box with no problem.
>
> Complete test results were sent to the freebsd-stable and freebsd-net
> mailing lists and can be found here:
>
> http://lists.freebsd.org/pipermail/freebsd-stable/2007-May/035154.html
>
> (The email message above includes tests with ipf)
>
>
> pf rules looks like this in all tests:
>
> scrub in all fragment reassemble
> block drop in log all
> pass in log on bge0 inet proto tcp from xxx.xxx.xxx.81 to xxx.xxx.xxx.87
> port = ssh flags S/SA keep state pass out on bge0 proto tcp all flags S/SA
> keep state
> pass out on bge0 proto udp all keep state
> pass out on bge0 proto icmp all keep state
>
>
> Am I doing something wrong? Is there anything else I should try on
> FreeBSD?
Can you enable extended logging (pfctl -xm) and check your console for
messages? Also please check "pfctl -si" for counter increases.
Thanks,
--
Max
More information about the freebsd-pf
mailing list