Date: Thu, 20 Oct 2016 10:31:39 +0200 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: freebsd-questions@freebsd.org Cc: "Kristof Provost" <kp@FreeBSD.org> Subject: Re: 10.3 : PF and fragmented packets Message-ID: <20161020103139.22eab09e@mr185083> In-Reply-To: <6808974A-0500-4E17-A000-A7A3E02A46DF@FreeBSD.org> References: <20161014160649.658a32cd@mr185083> <6808974A-0500-4E17-A000-A7A3E02A46DF@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Fri, 14 Oct 2016 16:34:11 +0200, "Kristof Provost" <kp@FreeBSD.org> a écrit : Hello, > > Looks like PF filters out fragmented packets on 10.3, at leat icmp > > and UDP. (this is not the behavior of OpenBSD 5.X) > > > I would expect pf to drop fragments (on both v4 and v6) if it?s > configured to > do so and pass them if configured to do so, certainly if scrub > fragment reassemble is not set. > > > Shall I play with the scrub option to allow them ? > > > You almost certainly want ?scrub in fragment reassemble? or > something similar, > yes. Thanks that works fine (scrub in all fragment reassemble) We have migrated from OpenBSD 5 to FreeBSD (because of load problem) and it looks like the behavior of PF between this two OS is not the same. OpenBSD pf.conf(5) man page states the same thing about packets fragmentation handling than FreeBSD. So I don't know why it worked before. Anyway that's ok now Best regards.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161020103139.22eab09e>