Date: Fri, 16 Dec 2005 13:34:17 -0600 From: Paul Dokas <dokas@oitsec.umn.edu> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: very odd PF + FreeBSD6.0 problems Message-ID: <20051216133417.2d8dee1a.dokas@oitsec.umn.edu> In-Reply-To: <20051216183447.GA14269@insomnia.benzedrine.cx> References: <20051216100915.73fef758.dokas@oitsec.umn.edu> <20051216183447.GA14269@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 16 Dec 2005 19:34:47 +0100 Daniel Hartmeier <daniel@benzedrine.cx> wrote: > The additional checks are automatically enabled when using "reassemble > tcp", which explains why the same ruleset didn't block the packets on > 5.4 but now does on 6.0. You can disable "reassemble tcp" and the new > (and old) TCP checks won't run. See the updated pf.conf(5) man page for > a full list of checks that this feature enables/disables. I can confirm this. I'm now running with PF enable and the following scrub rule: scrub all fragment reassemble The previous rule was 'scrub all reassemble tcp' and was the source(?) of the problem. I'm still digging to find where the problem is located. It's rather slow going as we have a fairly diverse and complex network installation. The one place that I'm currently looking at is the FreeBSd 5.4 machine acting as a bridging firewall that is immediately upstream from me. Paul -- Paul Dokas dokas at oitsec.umn.edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051216133417.2d8dee1a.dokas>