udp fragmentation with pf/ipf
Hugo Koji Kobayashi
koji at registro.br
Fri May 18 13:37:46 UTC 2007
Ok. I understand that, but in FreeBSD 4.11 it works and without the
"keep frags" the query is blocked. Is it just a misbehaviour of
an old ipf version?
And there is also the different behaviour of pf under OpenBSD. As I
understand, the "scrub" rule should reassemble the fragments and pass
the complete packet on to the filter, making the response arrive to
the application. Am I wrong?
On Fri, May 18, 2007 at 09:50:58AM +1000, Mark Andrews wrote:
>
> >
> > This should be rejected as "keep frags" is meaningless here.
> >
> > pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53
> > keep state keep frags
> >
> > You need
> >
> > pass in quick from any to any with frag keep frag
>
> The reason is that "ip" fragments not have next level headers.
>
More information about the freebsd-stable
mailing list