pf misfeature

[Daniel Hartmeier]

On Fri, Nov 09, 2007 at 12:59:46AM +0100, Max Laier wrote:

> Daniel, do you spot anything strange with these skip steps (or otherwise)?

The problem is the lack of IP reassembly in this configuration.

In pf_test_fragment(), a rule with r->flagset ("flags S/SA") is skipped.

Generally, stateful filtering _requires_ IP reassembly. As long as no
fragmentation occurs, it works even without reassembly. I suspect your
UDP NFS traffic is fragmented.

Try adding

  scrub in on $if all fragment reassemble

at the top.

Daniel