Date: Sun, 1 Sep 2019 11:31:57 +0200 From: =?UTF-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= <laszlo@karolyi.hu> To: Kristof Provost <kp@freebsd.org> Cc: freebsd-bugs@freebsd.org Subject: Re: PF and IPv6 UDP fragmented packets Message-ID: <f47f28c9-6dae-bdd7-6eb9-782602f11913@karolyi.hu> In-Reply-To: <20190831211034.GB8888@vega.codepro.be> References: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu> <20190831211034.GB8888@vega.codepro.be>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mORV7xuc4ryuU35ecU10t3r6tVAvaZ2hy Content-Type: multipart/mixed; boundary="iCGs5ELKYY0sDEGvEmsKzRkEprWtA5uMS"; protected-headers="v1" From: =?UTF-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= <laszlo@karolyi.hu> To: Kristof Provost <kp@freebsd.org> Cc: freebsd-bugs@freebsd.org Message-ID: <f47f28c9-6dae-bdd7-6eb9-782602f11913@karolyi.hu> Subject: Re: PF and IPv6 UDP fragmented packets References: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu> <20190831211034.GB8888@vega.codepro.be> In-Reply-To: <20190831211034.GB8888@vega.codepro.be> --iCGs5ELKYY0sDEGvEmsKzRkEprWtA5uMS Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, can I get an explanation/argument as to why, and what implications it has when I don't enable it? Cheers, -- L=C3=A1szl=C3=B3 K=C3=A1rolyi http://linkedin.com/in/karolyi On 2019-08-31 23:10, Kristof Provost wrote: > On 2019-08-31 22:42:59 (+0200), L=C3=A1szl=C3=B3 K=C3=A1rolyi <laszlo@k= arolyi.hu> wrote: >> Hey, >> >> I've installed unbound into a jail to use it as a nameserver. After >> setting up PF to allow UDP fragments to the jail's IPv6 address, I sti= ll >> saw PF dropping the UDP fragment packages arriving to and from my jail= =2E >> According to the pf.conf readme, the IP header of the fragmented packe= ts >> still contain the protocol type (TCP/UDP), but not the port number. I >> hope it's not a documentation bug. >> > You really, really want to have pf reassemble packets prior to > filtering. > Use 'scrub all fragment reassemble'. > > Regards, > Kristof --iCGs5ELKYY0sDEGvEmsKzRkEprWtA5uMS-- --mORV7xuc4ryuU35ecU10t3r6tVAvaZ2hy Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEJDBs1Ro4InYgi/tCLcryXlVzW/4FAl1rkA4ACgkQLcryXlVz W/42RBAAgyc2QjnCfu6XYaz7hACtLX1jQy0dCoLjMPaY/stZWMjRQWfSEtjNJmPs bT0YB51N9w3KBfAQUP+kScYB0S0N1GdoQFlnx87D7VPMQBC0DEARms/TJJZQHq4K mRy9VYGmHbqRbVFrtq5pMePQ3Gf0xJvinz1T9qIhB3goQjYnns+vlQht7bWVKvNW 3RWxfnDi8qGeiNAGeJGu0/Duk81J/9pzb4xtlP3q5JdipkHKKZJ0qSB2JSozaILe wBcUQofjiWnRa8KUB2oalUUGrQoumX1Tkg3xmDiDXjLuoCN/9dRUjagaHYcPpCY8 rwx+xJihEUAExIOb2xrJur409w3UldDwpbsg0jXkAZm2DaAQe2rwgBnsZypHZ49X fzsWFx/F/Y4wQsC58u4JHqsDeQwK5LlU2xjrT6JAmDmfnxZSeN49HCBDrQNggPGX qDkY8e3dXZ5wNi1nZPzlISzBBqTp3mkHkM0GmarQ0xXDuPcdV7NuU/csSY/B9OJ9 FwPCL2FM/E+QVR9U2GFOvQPPxve1C9kpQq6Kh7PtiKOdvTRgsLtDTZAXFC3dShKx 1x6hBxYM09oiSEL8uzGee590ZlyFoort7EXKMUVuQ8ZMJU3cAiYcK1YSh7PEeIs/ Up8+oIWcru9YsAB1CBrmMjQ4W1jprxFTO8ZXBSw8TyuxJZsoBsE= =xTAF -----END PGP SIGNATURE----- --mORV7xuc4ryuU35ecU10t3r6tVAvaZ2hy--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f47f28c9-6dae-bdd7-6eb9-782602f11913>