Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 02 Jun 2005 14:01:09 +1000
From:      Mark Andrews <Mark_Andrews@isc.org>
To:        freebsd-stable@freebsd.org
Subject:   ipf and fragments
Message-ID:  <200506020401.j524199E090035@drugs.dv.isc.org>

next in thread | raw e-mail | index | archive | help

	It looks like ipf in not handling fragmented UDP respones
	correctly.  Is there anything in particular that I need to
	say to ipf to make it process the fragments?  Unfragemented
	responses make it through the firewall.  It appears to be
	independent of fragment order.

FreeBSD bsdi.dv.isc.org 4.11-STABLE FreeBSD 4.11-STABLE #22: Mon Jan  3 22:18:47 EST 2005     marka@bsdi.dv.isc.org:/usr/obj/usr/src/sys/BSDI  i386

	Mark

# ipfstat
 IPv6 packets:          in 113941974 out 85668683
 input packets:         blocked 17889 passed 148735618 nomatch 39228854 counted 0 short 0
output packets:         blocked 880 passed 118396248 nomatch 13144559 counted 0 short 0
 input packets logged:  blocked 0 passed 0
output packets logged:  blocked 0 passed 0
 packets logged:        input 17468 output 0
 log failures:          input 0 output 0
fragment state(in):     kept 0  lost 0  not fragmented 0
fragment state(out):    kept 0  lost 0  not fragmented 0
packet state(in):       kept 162370     lost 260
packet state(out):      kept 97632      lost 880
ICMP replies:   17464   TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  75931163        (out):  73331918
IN Pullups succeeded:   0       failed: 0
OUT Pullups succeeded:  272     failed: 0
Fastroute successes:    17464   failures:       0
TCP cksum fails(in):    0       (out):  0
Packet log flags set: (0)
        none



13:44:50.908545 220.237.98.197.3484 > 65.201.175.17.53:  20803 [1au] Type65323? NLnetLabs.nl.dlv.verisignlabs.com. (62)
                         4500 005a a14b 0000 3f11 a9ba dced 62c5
                         41c9 af11 0d9c 0035 0046 024a 5143 0010
                         0001 0000 0000 0001 094e 4c6e 6574 4c61
                         6273 026e 6c03 646c 760c 7665 7269 7369
                         676e 6c61 6273 0363 6f6d 00ff 2b00 0100
                         0029 0800 0000 8000 0000
13:44:51.146830 65.201.175.17.53 > 220.237.98.197.3484:  20803*-% 2/2/7 Type65323, RRSIG (1472) (frag 1441:1480@0+)
                         4500 05dc 05a1 2000 2d11 31e3 41c9 af11
                         dced 62c5 0035 0d9c 0636 4b6f 5143 8410
                         0001 0002 0002 0007 094e 4c6e 6574 4c61
                         6273 026e 6c03 646c 760c 7665 7269 7369
                         676e 6c61 6273 0363 6f6d 00ff 2b00 01c0
                         0cff 2b00 0100 000e 1000 18ab 0f05 0181
                         ee88 356d f3c3 0775 4944 5ed2 fb1c 92ad
                         c806 41c0 0c00 2e00 0100 000e 1000 a8ff
                         2b05 0500 000e 1042 c506 1242 9d79 1216
                         2203 646c 760c 7665 7269 7369 676e 6c61
                         6273 0363 6f6d 001e 5875 50a4 bdde 8799
                         365d e8e9 b3a7 cd7d 713d 1789 1715 4ff2
                         587e 1f1a 0b94 f3bf 2fa5 622d 82de 25ce
                         d86f 486b 202a 22d6 35e2 29fc 715c dbe5
                         0245 c4d4 40e8 9a1e f9d5 9044 bb35 7b17
                         9ee9 6361 bc78 b9eb b338 f1b4 53ca 67fb
                         dec1 f435 1969 116a eb12 0376 a710 a3cc
                         8c1c 59a2 93fe 23fa 698f 84af 6139 4eb6
                         4cb9 6f68 c2f1 89c0 7500 0200 0100 0151
                         8000 0603 6e73 31c0 75c0 7500 2e00 0100
                         0151 8000 a800 0205 0300 0151 8042 c506
                         1242 9d79 1216 2203 646c 760c 7665 7269
                         7369 676e 6c61 6273 0363 6f6d 007c 98b9
                         dc0b cae5 cb91 c504 7a03 033b f927 342b
                         f8fd 1f1b 3778 cf05 d686 2c47 8134 692c
                         ae12 89e7 0d80 73ab 3eb9 ed8f 62eb edd8
                         d78a f8f6 c267 92b4 bd1e b08f 28f4 4643
                         93d8 a888 645e 02a2 634b 70b9 a558 81f0
                         c7e0 762a e74c cda8 ef5b 2622 3da3 9cde
                         6e35 69a4 5313 a52b 4fe5 84c1 c4b1 5bc3
                         0485 c348 7638 146e 1d4f 163d cec1 1700
                         0100 0100 0151 8000 0441 c9af 11c1 1700
                         2e00 0100 0151 8000 a800 0105 0400 0151
                         8042 c506 1242 9d79 1216 2203 646c 760c
                         7665 7269 7369 676e 6c61 6273 0363 6f6d
                         009b 4ab5 f9f3 16af 71ab 4fe2 dd5c bdf4
                         7883 87b9 109d ebd9 b7e6 2875 c0b4 5514
                         59cf 636a bbc4 7704 f2c1 52d7 5ece a2e4
                         8a3a 4065 d6b0 af99 91b2 9a16 6642 67e8
                         a599 1cd7 3f1b 281d 999b 0472 516a 81d3
                         5855 84d5 ad0c 381e 383a db85 7526 0d7b
                         86d3 4f3f 675c cddf b919 f682 51ed 758d
                         78da c7e9 9169 f7d8 bac1 6c93 97ec 32e4
                         f3c1 ff00 3000 0100 000e 1000 8601 0003
                         0501 03bd 92d7 1198 4fea 5d6a 5ad9 c517
                         f35c 8ff7 a0cd 30b4 190e 0bba 0e78 6654
                         2702 226f 862c e73e 69e8 25c5 67f2 8484
                         e57f c376 8fbc 78d4 e976 f9db f3d6 2d50
                         af75 3dbc 7b13 20e2 0570 e584 e78b 22f4
                         e409 1a8f 5c59 ffdb d257 442b 81e2 3870
                         4c60 84a5 0bc0 51a5 7c7e 46cc 930e e942
                         641b e7ce 0501 d4ec 051f 8f7f 8c57 40a7
                         3772 f9c1 ff00 3000 0100 000e 1001 0801
                         0103 0503 0100 01bc 361d 912b 03a3 e94d
                         255d 11b7 6f63 5235 972d e04c 5021 24f0
                         2c0b ba1a b48a ff3f 7843 ab3e ec52 30f2
                         e2b5 4740 f363 2af4 0cbf 6bf4 02a4 f2af
                         292b cb4d a5f5 61a6 6ca6 63b1 7c8a db5f
                         4088 01ef 482e 384e c8ac 9083 7c20 fdbc
                         2a43 3509 683e d74f 056c f246 55b6 7738
                         7d65 7916 a99c 20a2 d99e 6ad1 d85e 7201
                         5059 a83f 16ea 47a2 a37b b278 9e62 c51d
                         6f2f fd64 ef5d 2c37 5078 bf71 267d 4256
                         d88c 7317 c1e7 f8ee 289f d5f5 b17b 588b
                         1d2c a968 a2da a789 2e36 723b 3218 6c31
                         b1f6 711d 0de6 1ff1 8e75 fd4a 9c6b 3c10
                         d067 a714 b2b4 9938 ab48 183f 9024 3403
                         d31b 48f5 29d9 9ad9 ff6f 8bac 1900 8615
                         91c4 0f2a eb01 4d86 d472 516b 2179 ca1a
                         d3c7 1f70 a7cb 5bc1 ff00 2e00 0100 000e
                         1001 2800 3005 0300 000e 1042 c506 1242
                         9d79 1213 fd03 646c 760c 7665 7269 7369
                         676e 6c61 6273 0363 6f6d 0030 3507 d02a
                         02cf 82f8 955a 2ee0 d5e4 7e26 8d96 a350
                         a5cc 3342 f268 6cb5 ac7b bfa2 e24c 151b
                         b56b 9c01 737f 9714 1f29 8cb4 39a2 8b41
                         ee3c 349a 20ce 2c0f d786 6cdd 7d9b 862e
                         6b2b b77e 47c6 e712 ec3c 590f 54be 9895
                         4da2 c16a 8c62 f4bc 446c d6f9 db38 29c3
                         907f d065 59a4 c864 62a2 44e9 6631 8a19
                         f9e1 65e4 eaef eb8e 0921 cfce dbcf e03b
                         9414 5878 1cc0 81ef d677 a1e3 2b9f 091b
                         7663 07b1 c71d f4ec ac01 a4a6 5337 0e8e
                         d32b 804d cbcf e1f2 8158 03dc 26ad 91dd
                         8a1a 48ef 6bef b6d4 755b 8a80 4150 433f
                         0091 7975 af5b ec9b 6546 2471 6055 80cb
                         9917 303c 8569 bdbb a682 b13f 0fe7 0022
                         dec8 1b06 c8f5 7f6b 73c7 05a4 880b d3e6
                         6b84 3e87 51f7 13b9 02c2 9cc4 5900 2e00
                         0100 000e 1000 a800 3005 0300 000e 1042
                         c506 1242 9d79 1216 2203 646c 760c 7665
                         7269 7369 676e 6c61 6273 0363 6f6d 0090
                         a57c 2a85 5087 f829 4031 aa59 1211 2538
                         082e 6e21 d56e c0b9 d113 17d7
13:44:51.146887 65.201.175.17 > 220.237.98.197: udp (frag 1441:110@1480)
                         4500 0082 05a1 00b9 2d11 5684 41c9 af11
                         dced 62c5 d679 a96d 8e81 56e6 bddb d3a0
                         f32a 1ed9 6036 ed61 ee91 2577 060f 0239
                         ed0b 322a f7cc 4bca 088d 68b5 8aca 4910
                         7ed0 f810 d650 9d82 720f 938b 7a5d 3460
                         4a18 eb54 4860 92c3 72d3 e220 0b02 272d
                         8aa9 4e99 3cf4 c115 d9f6 e307 3443 d2f0
                         2001 768b 3f11 1900 0029 1000 0000 8000
                         0000
13:44:51.147093 220.237.98.197 > 65.201.175.17: icmp: net 192.168.191.236 unreachable
                         4500 0038 05a1 0000 4001 4497 dced 62c5
                         41c9 af11 0300 97b0 0000 0000 4500 0082
                         05a1 00b9 2d11 15a2 41c9 af11 c0a8 bfec
                         d679 a96d 8e81 56e6

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: Mark_Andrews@isc.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506020401.j524199E090035>