udp fragmentation
Hugo Koji Kobayashi
koji at registro.br
Mon May 28 23:06:28 UTC 2007
Hello,
While making some tests with fragmented udp DNS responses (with
EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and
7.0 (200705 snapshot).
Our test is a DNS query to an DNSSEC enabled server which replies with
a ~4KB udp response. We do this with the following dig command:
dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0
pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS queries
timeout. Disabling the firewall, complete replies are received with no
problem. The same test was run on an OpenBSD 4.1 box with no problem.
Complete test results were sent to the freebsd-stable and freebsd-net
mailing lists and can be found here:
http://lists.freebsd.org/pipermail/freebsd-stable/2007-May/035154.html
(The email message above includes tests with ipf)
pf rules looks like this in all tests:
scrub in all fragment reassemble
block drop in log all
pass in log on bge0 inet proto tcp from xxx.xxx.xxx.81 to xxx.xxx.xxx.87 port = ssh flags S/SA keep state
pass out on bge0 proto tcp all flags S/SA keep state
pass out on bge0 proto udp all keep state
pass out on bge0 proto icmp all keep state
Am I doing something wrong? Is there anything else I should try on
FreeBSD?
Thanks,
Hugo
More information about the freebsd-pf
mailing list