10.3 : PF and fragmented packets

Patrick Lamaiziere patfbsd at davenulle.org
Thu Oct 20 08:31:54 UTC 2016

Le Fri, 14 Oct 2016 16:34:11 +0200,
"Kristof Provost" <kp at FreeBSD.org> a écrit :


> > Looks like PF filters out fragmented packets on 10.3, at leat icmp
> > and UDP. (this is not the behavior of OpenBSD 5.X)
> >  
> I would expect pf to drop fragments (on both v4 and v6) if it?s 
> configured to
> do so and pass them if configured to do so, certainly if scrub
> fragment reassemble is not set.
> > Shall I play with the scrub option to allow them ?
> >  
> You almost certainly want ?scrub in fragment reassemble? or 
> something similar,
> yes.

Thanks that works fine (scrub in all fragment reassemble)

We have migrated from OpenBSD 5 to FreeBSD (because of load problem)
and it looks like the behavior of PF between this two OS is not the

OpenBSD pf.conf(5) man page states the same thing about packets
fragmentation handling than FreeBSD. So I don't know why it worked

Anyway that's ok now
Best regards.

More information about the freebsd-questions mailing list