Date: Thu, 16 Sep 2004 04:09:25 -0000 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: fixing out of order first fragment processing? Message-ID: <20040723034710.GA2759@kt-is.co.kr> In-Reply-To: <200407230055.57014.max@love2party.net> References: <cdpbts$om0$1@sea.gmane.org> <200407222359.23147.max@love2party.net> <cdpf9q$o0t$1@sea.gmane.org> <200407230055.57014.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 23, 2004 at 12:55:56AM +0200, Max Laier wrote: > On Friday 23 July 2004 00:32, othermark wrote: > > Max Laier wrote: > > > On Thursday 22 July 2004 23:34, othermark wrote: > > > Activation of pf with a > > > scrub in on <interface> fragment reassemble > > > rule works as workaround. > > > > Thanks for this suggestion, > > > > I have a 'scrub in all fragments reassemble' that I just added and loaded > > to my /etc/pf.conf, which does not seem to solve the problem. Do I have to > > specify a scrub for each interface in this case (maybe a better question > > for the pf list)? > > Moved. It actually should. Can you please try to # pfctl -x misc and check the > console? I might well have something wrong, need to cross check. > If DF(don't fragment) bit in IP packet header was set and the packet was fragmented, pf will drop the IP packet. I guess it's natural to drop the IP packet when such a condition happens. Check the output of tcpdump. You can let pf pass the packet with no-df option. For instance, scrub on $interface random-id no-df fragment reassemble > > > In every case you have to decide if you want to > > > invest the required memory to store fragments, which might make you > > > easy/easier prey for DoS-attacks. Usually, for an average gateway the > > > cost is worth the gain (= increased security). > > > > Most of the current systems today are able to handle both types of > > sequences. It really is a small processing hit, FreeBSD already does > > some bufferring with proper safeguards/maximums for various > > traffic patterns. > > > > I would suspect some NFS/udp interoperability problems with the way it > > handles fragments right now. > > > > -- > > othermark > > atkin901 at nospam dot yahoo dot com > > (!wired)?(coffee++):(wired); > > > > _______________________________________________ > > freebsd-current@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-current > > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News Best Regards, Pyun YongHyeon -- Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040723034710.GA2759>