From owner-freebsd-questions@freebsd.org Fri Oct 14 14:34:15 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6ACAAC117AF for ; Fri, 14 Oct 2016 14:34:15 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 338BD667 for ; Fri, 14 Oct 2016 14:34:15 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [172.16.5.2] (vega.codepro.be [IPv6:2a01:4f8:162:1127::3]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 8AFF115CFD; Fri, 14 Oct 2016 16:34:11 +0200 (CEST) From: "Kristof Provost" To: "Patrick Lamaiziere" Cc: freebsd-questions@freebsd.org Subject: Re: 10.3 : PF and fragmented packets Date: Fri, 14 Oct 2016 16:34:11 +0200 Message-ID: <6808974A-0500-4E17-A000-A7A3E02A46DF@FreeBSD.org> In-Reply-To: <20161014160649.658a32cd@mr185083> References: <20161014160649.658a32cd@mr185083> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (2.0BETAr6058) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Oct 2016 14:34:15 -0000 On 14 Oct 2016, at 16:06, Patrick Lamaiziere wrote: > Looks like PF filters out fragmented packets on 10.3, at leat icmp and > UDP. (this is not the behavior of OpenBSD 5.X) > I would expect pf to drop fragments (on both v4 and v6) if it’s configured to do so and pass them if configured to do so, certainly if scrub fragment reassemble is not set. > Shall I play with the scrub option to allow them ? > You almost certainly want ‘scrub in fragment reassemble’ or something similar, yes. Regards, Kristof