Date: Thu, 31 May 2007 13:44:56 +0200 From: Sten Daniel Soersdal <netslists@gmail.com> To: Hugo Koji Kobayashi <koji@registro.br> Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: Re: udp fragmentation with pf/ipf Message-ID: <465EB538.4040901@gmail.com> In-Reply-To: <20070517215025.GC37175@registro.br> References: <20070517215025.GC37175@registro.br>
next in thread | previous in thread | raw e-mail | index | archive | help
Hugo Koji Kobayashi wrote: > Hello, > > While making some tests with fragmented udp DNS responses (with > EDNS0), we discovered a possible problem with ipf and pf in FreeBSD > 6.2 and 7.0 (200705 snapshot). > > Our test is a DNS query to an DNSSEC enabled server which replies with > a ~4KB udp response. We do this with the following dig command: > > dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 > > ipf and pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS > queries timeout. Disabling the firewall, complete replies are received > with no problem. > > We've made the same tests with FreeBSD 4.11 with ipf and OpenBSD 4.1 > with pf with no problems. You can see a summary of the tests below. > > OS + fw dig result > fbsd4.11 + ipf OK > obsd4.1 + pf OK > fbsd6.2 OK > fbsd6.2 + ipf timeout > fbsd6.2 + pf timeout > fbsd7.0 OK > fbsd7.0 + ipf timeout > fbsd7.0 + pf timeout > > Complete test results (including tcpdump output and firewall rule > sets) are attached. > > Can somebody tell us if he hit a bug or if there is something we are > missing? > By the looks of it, you hit a bug. "scrub in all fragment reassemble" should reassemble good fragments before evaluating the rules. -- Sten Daniel Soersdal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?465EB538.4040901>