Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 01 Sep 2019 09:41:32 -0700
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        "=?utf-8?b?TMOhc3psw7MgS8Ohcm9seWk=?=" <laszlo@karolyi.hu>
Cc:        freebsd-bugs@freebsd.org
Subject:   Re: PF and IPv6 UDP fragmented packets
Message-ID:  <4E3A534E-2AA2-4237-90B3-2981F318E52C@FreeBSD.org>
In-Reply-To: <f47f28c9-6dae-bdd7-6eb9-782602f11913@karolyi.hu>
References:  <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu> <20190831211034.GB8888@vega.codepro.be> <f47f28c9-6dae-bdd7-6eb9-782602f11913@karolyi.hu>

next in thread | previous in thread | raw e-mail | index | archive | help
On 1 Sep 2019, at 2:31, László Károlyi wrote:
> On 2019-08-31 23:10, Kristof Provost wrote:
>> On 2019-08-31 22:42:59 (+0200), László Károlyi <laszlo@karolyi.hu> 
>> wrote:
>>> Hey,
>>>
>>> I've installed unbound into a jail to use it as a nameserver. After
>>> setting up PF to allow UDP fragments to the jail's IPv6 address, I 
>>> still
>>> saw PF dropping the UDP fragment packages arriving to and from my 
>>> jail.
>>> According to the pf.conf readme, the IP header of the fragmented 
>>> packets
>>> still contain the protocol type (TCP/UDP), but not the port number. 
>>> I
>>> hope it's not a documentation bug.
>>>
>> You really, really want to have pf reassemble packets prior to
>> filtering.
>> Use 'scrub all fragment reassemble'.
>>
> can I get an explanation/argument as to why, and what implications it
> has when I don't enable it?

 From man pf.conf:

      fragment reassemble
            Using scrub rules, fragments can be reassembled by 
normalization.  In
            this case, fragments are buffered until they form a complete 
packet,
            and only the completed packet is passed on to the filter.  
The
            advantage is that filter rules have to deal only with 
complete
            packets, and can ignore fragments.  The drawback of caching 
fragments
            is the additional memory cost.

Basically that means that pf gets to look at the complete packet, and it 
can make decisions about the complete packet as well. So rather than 
choosing between dropping all fragments or allowing **all** UDP/TCP 
traffic (because attackers can just fragment to hide the port numbers) 
you get to enforce your policies.

Regards,
Kristof
From owner-freebsd-bugs@freebsd.org  Sun Sep  1 16:48:23 2019
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 91F05DEAB0
 for <freebsd-bugs@mailman.nyi.freebsd.org>;
 Sun,  1 Sep 2019 16:48:23 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:13])
 by mx1.freebsd.org (Postfix) with ESMTP id 46LzgC3M8wz4WNP
 for <freebsd-bugs@freebsd.org>; Sun,  1 Sep 2019 16:48:23 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
 id 730BCDEAAF; Sun,  1 Sep 2019 16:48:23 +0000 (UTC)
Delivered-To: bugs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 72D3FDEAAE
 for <bugs@mailman.nyi.freebsd.org>; Sun,  1 Sep 2019 16:48:23 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46LzgC2W2Bz4WNN
 for <bugs@FreeBSD.org>; Sun,  1 Sep 2019 16:48:23 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2610:1c1:1:606c::50:1d])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3A6404788
 for <bugs@FreeBSD.org>; Sun,  1 Sep 2019 16:48:23 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x81GmN5N030406
 for <bugs@FreeBSD.org>; Sun, 1 Sep 2019 16:48:23 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x81GmNp2030405
 for bugs@FreeBSD.org; Sun, 1 Sep 2019 16:48:23 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 240252] Add smbios(4) manual page
Date: Sun, 01 Sep 2019 16:48:23 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Documentation
X-Bugzilla-Component: Manual Pages
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: gbergling@gmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter cc
 attachments.created
Message-ID: <bug-240252-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>;
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Sep 2019 16:48:23 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D240252

            Bug ID: 240252
           Summary: Add smbios(4) manual page
           Product: Documentation
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Manual Pages
          Assignee: bugs@FreeBSD.org
          Reporter: gbergling@gmail.com
                CC: doc@FreeBSD.org

Created attachment 207069
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D207069&action=
=3Dedit
smbios(4) manpage

The attached patch includes a basic manual page for smbios(4).

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E3A534E-2AA2-4237-90B3-2981F318E52C>