Date: Wed, 8 Jun 2011 10:06:19 +0200 (CEST) From: Mohacsi Janos <mohacsi@niif.hu> To: Gary Palmer <gpalmer@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: Re: IPv6 day, PF and IPv6 fragments Message-ID: <alpine.BSF.2.00.1106080952350.63146@mignon.ki.iif.hu> In-Reply-To: <20110607195057.GA37735@in-addr.com> References: <20110607195057.GA37735@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear All On Tue, 7 Jun 2011, Gary Palmer wrote: > Hi, > > I noticed after running test-ipv6.com at home that I was getting > > 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 win 8211 <nop,nop,timestamp 3656890291 1004528553> > 2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my IP>: frag (1424|16) > > on my FreeBSD 7.3-RELEASE firewall. "man pf.conf" says > > Currently, only IPv4 fragments are supported and IPv6 fragments are > blocked unconditionally. > > Is this correct? If so, what is the correct way of getting IPv6 fragmented > packets through a pf firewall, or which version of FreeBSD introduces a PF > version that natively handles IPv6 fragments? Yes, PF did not support IPv6 fragmentation. In IPv6 the fragmentation is done in extension headers, which is not very well supported in either version of PF. Extension headers are very complicated to parse (and reassembly should be take place on for scrubbing!) , therefore probably PF implementors decided to write the support later when there is a need for it. However the situation not so bad. We are using PF on FreeBSD since 2005 (FreeBSD 6.x, 7.x 8.x) with IPv6 enabled and we have no complain about that PF is unconditionally dropping packets with fragmentation extension. OpenBSD pf in FreeBSD 8.2 still don't have support for IPv6 fragmentation header. > > Thanks, > > Gary > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1106080952350.63146>