IPv6 day, PF and IPv6 fragments
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Tue Jun 7 21:14:41 UTC 2011
On Jun 7, 2011, at 7:50 PM, Gary Palmer wrote:
> I noticed after running test-ipv6.com at home that I was getting
>
> 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 win 8211 <nop,nop,timestamp 3656890291 1004528553>
> 2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (1424|16)
>
> on my FreeBSD 7.3-RELEASE firewall. "man pf.conf" says
>
> Currently, only IPv4 fragments are supported and IPv6 fragments are
> blocked unconditionally.
>
> Is this correct? If so, what is the correct way of getting IPv6 fragmented
> packets through a pf firewall, or which version of FreeBSD introduces a PF
> version that natively handles IPv6 fragments?
OpenBSD might have added it lately to their devel version though I am not yet sure to which extend they now check. If you trust your hosts you can use something like:
pass log quick inet6 proto ipv6-frag all
to let the ipv6 fragments pass through without inspection.
/bz
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.
More information about the freebsd-pf
mailing list