udp fragmentation with pf/ipf
Sten Daniel Soersdal
netslists at gmail.com
Thu May 31 11:45:32 UTC 2007
Hugo Koji Kobayashi wrote:
> Hello,
>
> While making some tests with fragmented udp DNS responses (with
> EDNS0), we discovered a possible problem with ipf and pf in FreeBSD
> 6.2 and 7.0 (200705 snapshot).
>
> Our test is a DNS query to an DNSSEC enabled server which replies with
> a ~4KB udp response. We do this with the following dig command:
>
> dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0
>
> ipf and pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS
> queries timeout. Disabling the firewall, complete replies are received
> with no problem.
>
> We've made the same tests with FreeBSD 4.11 with ipf and OpenBSD 4.1
> with pf with no problems. You can see a summary of the tests below.
>
> OS + fw dig result
> fbsd4.11 + ipf OK
> obsd4.1 + pf OK
> fbsd6.2 OK
> fbsd6.2 + ipf timeout
> fbsd6.2 + pf timeout
> fbsd7.0 OK
> fbsd7.0 + ipf timeout
> fbsd7.0 + pf timeout
>
> Complete test results (including tcpdump output and firewall rule
> sets) are attached.
>
> Can somebody tell us if he hit a bug or if there is something we are
> missing?
>
By the looks of it, you hit a bug.
"scrub in all fragment reassemble" should reassemble good fragments
before evaluating the rules.
--
Sten Daniel Soersdal
More information about the freebsd-stable
mailing list