Date: Fri, 18 May 2007 10:37:45 -0300 From: Hugo Koji Kobayashi <koji@registro.br> To: Mark Andrews <Mark_Andrews@isc.org> Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: Re: udp fragmentation with pf/ipf Message-ID: <20070518133745.GJ37175@registro.br> In-Reply-To: <200705172350.l4HNowGe089722@drugs.dv.isc.org> References: <200705172350.l4HNowGe089722@drugs.dv.isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok. I understand that, but in FreeBSD 4.11 it works and without the "keep frags" the query is blocked. Is it just a misbehaviour of an old ipf version? And there is also the different behaviour of pf under OpenBSD. As I understand, the "scrub" rule should reassemble the fragments and pass the complete packet on to the filter, making the response arrive to the application. Am I wrong? On Fri, May 18, 2007 at 09:50:58AM +1000, Mark Andrews wrote: > > > > > This should be rejected as "keep frags" is meaningless here. > > > > pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53 > > keep state keep frags > > > > You need > > > > pass in quick from any to any with frag keep frag > > The reason is that "ip" fragments not have next level headers. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070518133745.GJ37175>