IPv6 day, PF and IPv6 fragments
Mohacsi Janos
mohacsi at niif.hu
Wed Jun 8 08:06:24 UTC 2011
Dear All
On Tue, 7 Jun 2011, Gary Palmer wrote:
> Hi,
>
> I noticed after running test-ipv6.com at home that I was getting
>
> 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 win 8211 <nop,nop,timestamp 3656890291 1004528553>
> 2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (1424|16)
>
> on my FreeBSD 7.3-RELEASE firewall. "man pf.conf" says
>
> Currently, only IPv4 fragments are supported and IPv6 fragments are
> blocked unconditionally.
>
> Is this correct? If so, what is the correct way of getting IPv6 fragmented
> packets through a pf firewall, or which version of FreeBSD introduces a PF
> version that natively handles IPv6 fragments?
Yes, PF did not support IPv6 fragmentation. In IPv6 the fragmentation is
done in extension headers, which is not very well supported in either
version of PF. Extension headers are very complicated to parse (and
reassembly should be take place on for scrubbing!) , therefore probably PF
implementors decided to write the support later when there is a need for
it.
However the situation not so bad. We are using PF on FreeBSD since 2005
(FreeBSD 6.x, 7.x 8.x) with IPv6 enabled and we have no complain about
that PF is unconditionally dropping packets with fragmentation extension.
OpenBSD pf in FreeBSD 8.2 still don't have support for IPv6 fragmentation
header.
>
> Thanks,
>
> Gary
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list