From owner-freebsd-pf@FreeBSD.ORG Wed May 30 14:02:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F418A16A46C for ; Wed, 30 May 2007 14:02:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.freebsd.org (Postfix) with ESMTP id 8C50213C44C for ; Wed, 30 May 2007 14:02:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.6.92] (helo=max41.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu8) with ESMTP (Nemesis), id 0ML31I-1HtOkd0JpO-00045g; Wed, 30 May 2007 16:02:11 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Wed, 30 May 2007 10:02:03 +0200 User-Agent: KMail/1.9.4 References: <20070528224225.GC40678@registro.br> In-Reply-To: <20070528224225.GC40678@registro.br> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200705301002.04911.max@love2party.net> X-Provags-ID: V01U2FsdGVkX18PubWOU8UcizjWKbrSmECn5wYd6ZXoNGpqUNb ErOE1DjPcZ725KHfydiYWeCKhdj7+IIHdRPHZ+TzshM1yH40gI 5aTRxFsYgHH+9Kdvin05Q== Cc: Hugo Koji Kobayashi Subject: Re: udp fragmentation X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 14:02:16 -0000 Hi Hugo, On Tuesday 29 May 2007 00:42, Hugo Koji Kobayashi wrote: > While making some tests with fragmented udp DNS responses (with > EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and > 7.0 (200705 snapshot). > > Our test is a DNS query to an DNSSEC enabled server which replies with > a ~4KB udp response. We do this with the following dig command: > > dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 > > pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS queries > timeout. Disabling the firewall, complete replies are received with no > problem. The same test was run on an OpenBSD 4.1 box with no problem. > > Complete test results were sent to the freebsd-stable and freebsd-net > mailing lists and can be found here: > > http://lists.freebsd.org/pipermail/freebsd-stable/2007-May/035154.html > > (The email message above includes tests with ipf) > > > pf rules looks like this in all tests: > > scrub in all fragment reassemble > block drop in log all > pass in log on bge0 inet proto tcp from xxx.xxx.xxx.81 to xxx.xxx.xxx.87 > port = ssh flags S/SA keep state pass out on bge0 proto tcp all flags S/SA > keep state > pass out on bge0 proto udp all keep state > pass out on bge0 proto icmp all keep state > > > Am I doing something wrong? Is there anything else I should try on > FreeBSD? Can you enable extended logging (pfctl -xm) and check your console for messages? Also please check "pfctl -si" for counter increases. Thanks, -- Max