Date: Tue, 7 Jun 2011 21:14:36 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Gary Palmer <gpalmer@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: Re: IPv6 day, PF and IPv6 fragments Message-ID: <875CCF38-D6CE-45E7-8F41-2DBA79B12481@lists.zabbadoz.net> In-Reply-To: <20110607195057.GA37735@in-addr.com> References: <20110607195057.GA37735@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 7, 2011, at 7:50 PM, Gary Palmer wrote:
> I noticed after running test-ipv6.com at home that I was getting
>
> 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 win 8211 <nop,nop,timestamp 3656890291 1004528553>
> 2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (1424|16)
>
> on my FreeBSD 7.3-RELEASE firewall. "man pf.conf" says
>
> Currently, only IPv4 fragments are supported and IPv6 fragments are
> blocked unconditionally.
>
> Is this correct? If so, what is the correct way of getting IPv6 fragmented
> packets through a pf firewall, or which version of FreeBSD introduces a PF
> version that natively handles IPv6 fragments?
OpenBSD might have added it lately to their devel version though I am not yet sure to which extend they now check. If you trust your hosts you can use something like:
pass log quick inet6 proto ipv6-frag all
to let the ipv6 fragments pass through without inspection.
/bz
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?875CCF38-D6CE-45E7-8F41-2DBA79B12481>