Date: Sat, 31 Aug 2019 23:10:34 +0200 From: Kristof Provost <kp@freebsd.org> To: =?utf-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= <laszlo@karolyi.hu> Cc: freebsd-bugs@freebsd.org Subject: Re: PF and IPv6 UDP fragmented packets Message-ID: <20190831211034.GB8888@vega.codepro.be> In-Reply-To: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu> References: <03494d06-63ca-56c5-66bc-cf67704d6cea@karolyi.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2019-08-31 22:42:59 (+0200), László Károlyi <laszlo@karolyi.hu> wrote: > Hey, > > I've installed unbound into a jail to use it as a nameserver. After > setting up PF to allow UDP fragments to the jail's IPv6 address, I still > saw PF dropping the UDP fragment packages arriving to and from my jail. > According to the pf.conf readme, the IP header of the fragmented packets > still contain the protocol type (TCP/UDP), but not the port number. I > hope it's not a documentation bug. > You really, really want to have pf reassemble packets prior to filtering. Use 'scrub all fragment reassemble'. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190831211034.GB8888>