From owner-freebsd-questions@freebsd.org  Fri Oct 14 14:34:15 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6ACAAC117AF
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Fri, 14 Oct 2016 14:34:15 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits))
 (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 338BD667
 for <freebsd-questions@freebsd.org>; Fri, 14 Oct 2016 14:34:15 +0000 (UTC)
 (envelope-from kp@FreeBSD.org)
Received: from [172.16.5.2] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3])
 (Authenticated sender: kp)
 by venus.codepro.be (Postfix) with ESMTPSA id 8AFF115CFD;
 Fri, 14 Oct 2016 16:34:11 +0200 (CEST)
From: "Kristof Provost" <kp@FreeBSD.org>
To: "Patrick Lamaiziere" <patfbsd@davenulle.org>
Cc: freebsd-questions@freebsd.org
Subject: Re: 10.3 : PF and fragmented packets
Date: Fri, 14 Oct 2016 16:34:11 +0200
Message-ID: <6808974A-0500-4E17-A000-A7A3E02A46DF@FreeBSD.org>
In-Reply-To: <20161014160649.658a32cd@mr185083>
References: <20161014160649.658a32cd@mr185083>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (2.0BETAr6058)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 14:34:15 -0000

On 14 Oct 2016, at 16:06, Patrick Lamaiziere wrote:
> Looks like PF filters out fragmented packets on 10.3, at leat icmp and
> UDP. (this is not the behavior of OpenBSD 5.X)
>
I would expect pf to drop fragments (on both v4 and v6) if it’s 
configured to
do so and pass them if configured to do so, certainly if scrub fragment
reassemble is not set.

> Shall I play with the scrub option to allow them ?
>
You almost certainly want ‘scrub in fragment reassemble’ or 
something similar,
yes.

Regards,
Kristof