From owner-freebsd-pf@FreeBSD.ORG Mon May 28 23:06:27 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E405A16A41F for ; Mon, 28 May 2007 23:06:27 +0000 (UTC) (envelope-from koji@registro.br) Received: from clone.registro.br (clone.registro.br [200.160.2.4]) by mx1.freebsd.org (Postfix) with ESMTP id A65F913C48C for ; Mon, 28 May 2007 23:06:27 +0000 (UTC) (envelope-from koji@registro.br) Received: by clone.registro.br (Postfix, from userid 1002) id 485DE95840; Mon, 28 May 2007 19:42:25 -0300 (BRT) Date: Mon, 28 May 2007 19:42:25 -0300 From: Hugo Koji Kobayashi To: freebsd-pf@freebsd.org Message-ID: <20070528224225.GC40678@registro.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.2i X-Organization: Registro.br X-URL: http://registro.br/ X-Operating-System: FreeBSD Subject: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2007 23:06:28 -0000 Hello, While making some tests with fragmented udp DNS responses (with EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and 7.0 (200705 snapshot). Our test is a DNS query to an DNSSEC enabled server which replies with a ~4KB udp response. We do this with the following dig command: dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS queries timeout. Disabling the firewall, complete replies are received with no problem. The same test was run on an OpenBSD 4.1 box with no problem. Complete test results were sent to the freebsd-stable and freebsd-net mailing lists and can be found here: http://lists.freebsd.org/pipermail/freebsd-stable/2007-May/035154.html (The email message above includes tests with ipf) pf rules looks like this in all tests: scrub in all fragment reassemble block drop in log all pass in log on bge0 inet proto tcp from xxx.xxx.xxx.81 to xxx.xxx.xxx.87 port = ssh flags S/SA keep state pass out on bge0 proto tcp all flags S/SA keep state pass out on bge0 proto udp all keep state pass out on bge0 proto icmp all keep state Am I doing something wrong? Is there anything else I should try on FreeBSD? Thanks, Hugo