PF and IPv6 UDP fragmented packets
Kristof Provost
kp at FreeBSD.org
Sun Sep 1 16:41:37 UTC 2019
On 1 Sep 2019, at 2:31, László Károlyi wrote:
> On 2019-08-31 23:10, Kristof Provost wrote:
>> On 2019-08-31 22:42:59 (+0200), László Károlyi <laszlo at karolyi.hu>
>> wrote:
>>> Hey,
>>>
>>> I've installed unbound into a jail to use it as a nameserver. After
>>> setting up PF to allow UDP fragments to the jail's IPv6 address, I
>>> still
>>> saw PF dropping the UDP fragment packages arriving to and from my
>>> jail.
>>> According to the pf.conf readme, the IP header of the fragmented
>>> packets
>>> still contain the protocol type (TCP/UDP), but not the port number.
>>> I
>>> hope it's not a documentation bug.
>>>
>> You really, really want to have pf reassemble packets prior to
>> filtering.
>> Use 'scrub all fragment reassemble'.
>>
> can I get an explanation/argument as to why, and what implications it
> has when I don't enable it?
From man pf.conf:
fragment reassemble
Using scrub rules, fragments can be reassembled by
normalization. In
this case, fragments are buffered until they form a complete
packet,
and only the completed packet is passed on to the filter.
The
advantage is that filter rules have to deal only with
complete
packets, and can ignore fragments. The drawback of caching
fragments
is the additional memory cost.
Basically that means that pf gets to look at the complete packet, and it
can make decisions about the complete packet as well. So rather than
choosing between dropping all fragments or allowing **all** UDP/TCP
traffic (because attackers can just fragment to hide the port numbers)
you get to enforce your policies.
Regards,
Kristof
More information about the freebsd-bugs
mailing list