Date: Sun, 01 Sep 2019 09:41:32 -0700 From: "Kristof Provost" <kp@FreeBSD.org> To: "=?utf-8?b?TMOhc3psw7MgS8Ohcm9seWk=?=" <laszlo@karolyi.hu> Cc: freebsd-bugs@freebsd.org Subject: Re: PF and IPv6 UDP fragmented packets Message-ID: <4E3A534E-2AA2-4237-90B3-2981F318E52C@FreeBSD.org> In-Reply-To: <f47f28c9-6dae-bdd7-6eb9-782602f11913@karolyi.hu> References: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu> <20190831211034.GB8888@vega.codepro.be> <f47f28c9-6dae-bdd7-6eb9-782602f11913@karolyi.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1 Sep 2019, at 2:31, László Károlyi wrote:
> On 2019-08-31 23:10, Kristof Provost wrote:
>> On 2019-08-31 22:42:59 (+0200), László Károlyi <laszlo@karolyi.hu>
>> wrote:
>>> Hey,
>>>
>>> I've installed unbound into a jail to use it as a nameserver. After
>>> setting up PF to allow UDP fragments to the jail's IPv6 address, I
>>> still
>>> saw PF dropping the UDP fragment packages arriving to and from my
>>> jail.
>>> According to the pf.conf readme, the IP header of the fragmented
>>> packets
>>> still contain the protocol type (TCP/UDP), but not the port number.
>>> I
>>> hope it's not a documentation bug.
>>>
>> You really, really want to have pf reassemble packets prior to
>> filtering.
>> Use 'scrub all fragment reassemble'.
>>
> can I get an explanation/argument as to why, and what implications it
> has when I don't enable it?
From man pf.conf:
fragment reassemble
Using scrub rules, fragments can be reassembled by
normalization. In
this case, fragments are buffered until they form a complete
packet,
and only the completed packet is passed on to the filter.
The
advantage is that filter rules have to deal only with
complete
packets, and can ignore fragments. The drawback of caching
fragments
is the additional memory cost.
Basically that means that pf gets to look at the complete packet, and it
can make decisions about the complete packet as well. So rather than
choosing between dropping all fragments or allowing **all** UDP/TCP
traffic (because attackers can just fragment to hide the port numbers)
you get to enforce your policies.
Regards,
Kristof
From owner-freebsd-bugs@freebsd.org Sun Sep 1 16:48:23 2019
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 91F05DEAB0
for <freebsd-bugs@mailman.nyi.freebsd.org>;
Sun, 1 Sep 2019 16:48:23 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org
[IPv6:2610:1c1:1:606c::50:13])
by mx1.freebsd.org (Postfix) with ESMTP id 46LzgC3M8wz4WNP
for <freebsd-bugs@freebsd.org>; Sun, 1 Sep 2019 16:48:23 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
id 730BCDEAAF; Sun, 1 Sep 2019 16:48:23 +0000 (UTC)
Delivered-To: bugs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 72D3FDEAAE
for <bugs@mailman.nyi.freebsd.org>; Sun, 1 Sep 2019 16:48:23 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
[IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
server-signature RSA-PSS (4096 bits)
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mxrelay.nyi.freebsd.org",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 46LzgC2W2Bz4WNN
for <bugs@FreeBSD.org>; Sun, 1 Sep 2019 16:48:23 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
[IPv6:2610:1c1:1:606c::50:1d])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3A6404788
for <bugs@FreeBSD.org>; Sun, 1 Sep 2019 16:48:23 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x81GmN5N030406
for <bugs@FreeBSD.org>; Sun, 1 Sep 2019 16:48:23 GMT
(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x81GmNp2030405
for bugs@FreeBSD.org; Sun, 1 Sep 2019 16:48:23 GMT
(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 240252] Add smbios(4) manual page
Date: Sun, 01 Sep 2019 16:48:23 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Documentation
X-Bugzilla-Component: Manual Pages
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords:
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: gbergling@gmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution:
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
op_sys bug_status bug_severity priority component assigned_to reporter cc
attachments.created
Message-ID: <bug-240252-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>;
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Sep 2019 16:48:23 -0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D240252
Bug ID: 240252
Summary: Add smbios(4) manual page
Product: Documentation
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Manual Pages
Assignee: bugs@FreeBSD.org
Reporter: gbergling@gmail.com
CC: doc@FreeBSD.org
Created attachment 207069
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D207069&action=
=3Dedit
smbios(4) manpage
The attached patch includes a basic manual page for smbios(4).
--=20
You are receiving this mail because:
You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E3A534E-2AA2-4237-90B3-2981F318E52C>