Re: pf starts blocking all traffic after a short while

From: Pete French <petefrench_at_ingresso.co.uk>
Date: Fri, 4 Jun 2021 19:47:31 +0100
> OK I may be completely off the mark here. But I seem to remember something
> about potential problems with fragment reassembly on IPv6. Just for kicks,
> does the problem still manifest if you comment
> scrub all max-mss 1200 fragment reassemble
> Again, I may be off the mark here, as I don't exactly remember where/when
> I read about it. But just thought I'd throw it out there in case it helped.

Actually, yes, this is true, and in most other places I use pf I have 
the rule:

pass quick inet6 proto ipv6-frag all keep state

in pf.conf. But this time I forgot. However I just tried
adding that though, and it hasnt helped. All IPv4 traffic as
well as IPv6 gets dropped when it starts dropping stuff, so
I dont think this is Ipv6 related.

Good memory though, I had forgotten that ;-)

-pete.
Received on Fri Jun 04 2021 - 18:47:31 UTC

Original text of this message