From owner-freebsd-current@FreeBSD.ORG Thu Jul 22 22:58:08 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74FF316A4CE for ; Thu, 22 Jul 2004 22:58:08 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18F4F43D39 for ; Thu, 22 Jul 2004 22:58:08 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.209] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1BnmVo-0005Ql-00; Fri, 23 Jul 2004 00:58:04 +0200 Received: from [84.128.139.174] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1BnmVn-0007Ig-00; Fri, 23 Jul 2004 00:58:03 +0200 From: Max Laier To: pf4freebsd@freelists.org Date: Fri, 23 Jul 2004 00:55:56 +0200 User-Agent: KMail/1.6.2 References: <200407222359.23147.max@love2party.net> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_9XEAB+OKeZCwhR/"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200407230055.57014.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 X-Mailman-Approved-At: Fri, 23 Jul 2004 12:03:33 +0000 cc: othermark Subject: Re: fixing out of order first fragment processing? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jul 2004 22:58:08 -0000 --Boundary-02=_9XEAB+OKeZCwhR/ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 23 July 2004 00:32, othermark wrote: > Max Laier wrote: > > On Thursday 22 July 2004 23:34, othermark wrote: > > Activation of pf with a > > scrub in on fragment reassemble > > rule works as workaround. > > Thanks for this suggestion, > > I have a 'scrub in all fragments reassemble' that I just added and loaded > to my /etc/pf.conf, which does not seem to solve the problem. Do I have = to > specify a scrub for each interface in this case (maybe a better question > for the pf list)? Moved. It actually should. Can you please try to # pfctl -x misc and check = the=20 console? I might well have something wrong, need to cross check. > > In every case you have to decide if you want to > > invest the required memory to store fragments, which might make you > > easy/easier prey for DoS-attacks. Usually, for an average gateway the > > cost is worth the gain (=3D increased security). > > Most of the current systems today are able to handle both types of > sequences. It really is a small processing hit, FreeBSD already does > some bufferring with proper safeguards/maximums for various > traffic patterns. > > I would suspect some NFS/udp interoperability problems with the way it > handles fragments right now. > > -- > othermark > atkin901 at nospam dot yahoo dot com > (!wired)?(coffee++):(wired); > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-02=_9XEAB+OKeZCwhR/ Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBBAEX8XyyEoT62BG0RAsSqAJ9Qq6lEDIpsoa23jNz2clVf6smbqACfYu7P WcS5kqjzumnrQnfRl4ve5E8= =ipQP -----END PGP SIGNATURE----- --Boundary-02=_9XEAB+OKeZCwhR/--