From owner-freebsd-pf@FreeBSD.ORG Fri Dec 16 19:34:30 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD8EC16A41F for ; Fri, 16 Dec 2005 19:34:30 +0000 (GMT) (envelope-from dokas@oitsec.umn.edu) Received: from mail.oitsec.umn.edu (mail.oitsec.umn.edu [128.101.238.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2DC943D77 for ; Fri, 16 Dec 2005 19:34:23 +0000 (GMT) (envelope-from dokas@oitsec.umn.edu) Received: from localhost (localhost [127.0.0.1]) by mail.oitsec.umn.edu (Postfix) with ESMTP id E947C1CC02F; Fri, 16 Dec 2005 13:34:20 -0600 (CST) Received: from mail.oitsec.umn.edu ([127.0.0.1]) by localhost (mail.oitsec.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 73995-01; Fri, 16 Dec 2005 13:34:20 -0600 (CST) Received: from shoggoth.oitsec.umn.edu (shoggoth.oitsec.umn.edu [160.94.247.195]) by mail.oitsec.umn.edu (Postfix) with ESMTP id A4FE11CC027; Fri, 16 Dec 2005 13:34:20 -0600 (CST) Date: Fri, 16 Dec 2005 13:34:17 -0600 From: Paul Dokas To: Daniel Hartmeier Message-Id: <20051216133417.2d8dee1a.dokas@oitsec.umn.edu> In-Reply-To: <20051216183447.GA14269@insomnia.benzedrine.cx> References: <20051216100915.73fef758.dokas@oitsec.umn.edu> <20051216183447.GA14269@insomnia.benzedrine.cx> Organization: OIT Security and Assurance, University of Minnesota X-Mailer: Sylpheed version 2.0.4 (GTK+ 2.8.7; i386-portbld-freebsd6.0) X-Discordia: fnord Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at oitsec.umn.edu Cc: freebsd-pf@freebsd.org Subject: Re: very odd PF + FreeBSD6.0 problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dokas@oitsec.umn.edu List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2005 19:34:31 -0000 On Fri, 16 Dec 2005 19:34:47 +0100 Daniel Hartmeier wrote: > The additional checks are automatically enabled when using "reassemble > tcp", which explains why the same ruleset didn't block the packets on > 5.4 but now does on 6.0. You can disable "reassemble tcp" and the new > (and old) TCP checks won't run. See the updated pf.conf(5) man page for > a full list of checks that this feature enables/disables. I can confirm this. I'm now running with PF enable and the following scrub rule: scrub all fragment reassemble The previous rule was 'scrub all reassemble tcp' and was the source(?) of the problem. I'm still digging to find where the problem is located. It's rather slow going as we have a fairly diverse and complex network installation. The one place that I'm currently looking at is the FreeBSd 5.4 machine acting as a bridging firewall that is immediately upstream from me. Paul -- Paul Dokas dokas at oitsec.umn.edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."