[Bug 207598] pf adds icmp unreach on gre/ipsec somehow

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon May 23 18:20:18 UTC 2016


Max <maximos at als.nnov.ru> changed:

           What    |Removed                     |Added
                 CC|                            |maximos at als.nnov.ru

--- Comment #3 from Max <maximos at als.nnov.ru> ---
I have reproduced the problem.
I think we shouldn't use scrub rule without "in" option. I.e. rule should be
scrub *in* on gre0 ...
Without "in" this rule is triggered twice ("B" <--> "C"): for outgoing
*fragmented* echo request and for incoming fragmented echo reply. As a result,
the length of the received echo request exceeds the MTU on "C" box. I think it
is not good.
PF.CONF(5): "Traffic normalization is used to sanitize packet content in such a
way that there are no ambiguities in packet interpretation on the receiving
side. The normalizer does IP fragment reassembly to prevent attacks that
confuse intrusion detection systems by sending overlapping IP fragments."
Do we really need "max-mss 1360" on outgoing flow?
However, appearance of "Destination Host Unreachable" remains unclear to me. It
is routing stuff. Need to do some research.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-pf mailing list