From owner-freebsd-questions@freebsd.org  Thu Oct 20 08:31:54 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 128BFC1AA2B
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Thu, 20 Oct 2016 08:31:54 +0000 (UTC)
 (envelope-from patfbsd@davenulle.org)
Received: from sender163-mail.zoho.com (sender163-mail.zoho.com
 [74.201.84.163])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 05C7B92D
 for <freebsd-questions@freebsd.org>; Thu, 20 Oct 2016 08:31:54 +0000 (UTC)
 (envelope-from patfbsd@davenulle.org)
Received: from mr185083 (mr185083.univ-rennes1.fr [129.20.185.83]) by
 mx.zohomail.com with SMTPS id 1476952304048429.50904326797684;
 Thu, 20 Oct 2016 01:31:44 -0700 (PDT)
Date: Thu, 20 Oct 2016 10:31:39 +0200
From: Patrick Lamaiziere <patfbsd@davenulle.org>
To: freebsd-questions@freebsd.org
Cc: "Kristof Provost" <kp@FreeBSD.org>
Subject: Re: 10.3 : PF and fragmented packets
Message-ID: <20161020103139.22eab09e@mr185083>
In-Reply-To: <6808974A-0500-4E17-A000-A7A3E02A46DF@FreeBSD.org>
References: <20161014160649.658a32cd@mr185083>
 <6808974A-0500-4E17-A000-A7A3E02A46DF@FreeBSD.org>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd10.3)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2016 08:31:54 -0000

Le Fri, 14 Oct 2016 16:34:11 +0200,
"Kristof Provost" <kp@FreeBSD.org> a écrit :

Hello,

> > Looks like PF filters out fragmented packets on 10.3, at leat icmp
> > and UDP. (this is not the behavior of OpenBSD 5.X)
> >  
> I would expect pf to drop fragments (on both v4 and v6) if it?s 
> configured to
> do so and pass them if configured to do so, certainly if scrub
> fragment reassemble is not set.
> 
> > Shall I play with the scrub option to allow them ?
> >  
> You almost certainly want ?scrub in fragment reassemble? or 
> something similar,
> yes.

Thanks that works fine (scrub in all fragment reassemble)

We have migrated from OpenBSD 5 to FreeBSD (because of load problem)
and it looks like the behavior of PF between this two OS is not the
same.

OpenBSD pf.conf(5) man page states the same thing about packets
fragmentation handling than FreeBSD. So I don't know why it worked
before.

Anyway that's ok now
Best regards.