PF and IPv6 UDP fragmented packets
Kristof Provost
kp at freebsd.org
Sat Aug 31 21:10:44 UTC 2019
On 2019-08-31 22:42:59 (+0200), László Károlyi <laszlo at karolyi.hu> wrote:
> Hey,
>
> I've installed unbound into a jail to use it as a nameserver. After
> setting up PF to allow UDP fragments to the jail's IPv6 address, I still
> saw PF dropping the UDP fragment packages arriving to and from my jail.
> According to the pf.conf readme, the IP header of the fragmented packets
> still contain the protocol type (TCP/UDP), but not the port number. I
> hope it's not a documentation bug.
>
You really, really want to have pf reassemble packets prior to
filtering.
Use 'scrub all fragment reassemble'.
Regards,
Kristof
More information about the freebsd-bugs
mailing list