Date: Wed, 30 May 2007 10:02:03 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Hugo Koji Kobayashi <koji@registro.br> Subject: Re: udp fragmentation Message-ID: <200705301002.04911.max@love2party.net> In-Reply-To: <20070528224225.GC40678@registro.br> References: <20070528224225.GC40678@registro.br>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Hugo, On Tuesday 29 May 2007 00:42, Hugo Koji Kobayashi wrote: > While making some tests with fragmented udp DNS responses (with > EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and > 7.0 (200705 snapshot). > > Our test is a DNS query to an DNSSEC enabled server which replies with > a ~4KB udp response. We do this with the following dig command: > > dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 > > pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS queries > timeout. Disabling the firewall, complete replies are received with no > problem. The same test was run on an OpenBSD 4.1 box with no problem. > > Complete test results were sent to the freebsd-stable and freebsd-net > mailing lists and can be found here: > > http://lists.freebsd.org/pipermail/freebsd-stable/2007-May/035154.html > > (The email message above includes tests with ipf) > > > pf rules looks like this in all tests: > > scrub in all fragment reassemble > block drop in log all > pass in log on bge0 inet proto tcp from xxx.xxx.xxx.81 to xxx.xxx.xxx.87 > port = ssh flags S/SA keep state pass out on bge0 proto tcp all flags S/SA > keep state > pass out on bge0 proto udp all keep state > pass out on bge0 proto icmp all keep state > > > Am I doing something wrong? Is there anything else I should try on > FreeBSD? Can you enable extended logging (pfctl -xm) and check your console for messages? Also please check "pfctl -si" for counter increases. Thanks, -- Max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705301002.04911.max>