PF and IPv6 UDP fragmented packets
László Károlyi
laszlo at karolyi.hu
Sun Sep 1 09:32:06 UTC 2019
Hi,
can I get an explanation/argument as to why, and what implications it
has when I don't enable it?
Cheers,
--
László Károlyi
http://linkedin.com/in/karolyi
On 2019-08-31 23:10, Kristof Provost wrote:
> On 2019-08-31 22:42:59 (+0200), László Károlyi <laszlo at karolyi.hu> wrote:
>> Hey,
>>
>> I've installed unbound into a jail to use it as a nameserver. After
>> setting up PF to allow UDP fragments to the jail's IPv6 address, I still
>> saw PF dropping the UDP fragment packages arriving to and from my jail.
>> According to the pf.conf readme, the IP header of the fragmented packets
>> still contain the protocol type (TCP/UDP), but not the port number. I
>> hope it's not a documentation bug.
>>
> You really, really want to have pf reassemble packets prior to
> filtering.
> Use 'scrub all fragment reassemble'.
>
> Regards,
> Kristof
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-bugs/attachments/20190901/39c38a57/attachment.sig>
More information about the freebsd-bugs
mailing list