[pf4freebsd] Re: fixing out of order first fragment processing?

Pyun YongHyeon yongari at kt-is.co.kr
Wed Sep 15 21:09:25 PDT 2004 

On Fri, Jul 23, 2004 at 12:55:56AM +0200, Max Laier wrote:
 > On Friday 23 July 2004 00:32, othermark wrote:
 > > Max Laier wrote:
 > > > On Thursday 22 July 2004 23:34, othermark wrote:
 > > > Activation of pf with a
 > > > scrub in on <interface> fragment reassemble
 > > > rule works as workaround.
 > >
 > > Thanks for this suggestion,
 > >
 > > I have a 'scrub in all fragments reassemble' that I just added and loaded
 > > to my /etc/pf.conf, which does not seem to solve the problem.  Do I have to
 > > specify a scrub for each interface in this case (maybe a better question
 > > for the pf list)?
 > 
 > Moved. It actually should. Can you please try to # pfctl -x misc and check the 
 > console? I might well have something wrong, need to cross check.
 > 

If DF(don't fragment) bit in IP packet header was set and the packet
was fragmented, pf will drop the IP packet. I guess it's natural to
drop the IP packet when such a condition happens.
Check the output of tcpdump.

You can let pf pass the packet with no-df option.
For instance,
scrub on $interface random-id no-df fragment reassemble

 > > > In every case you have to decide if you want to
 > > > invest the required memory to store fragments, which might make you
 > > > easy/easier prey for DoS-attacks. Usually, for an average gateway the
 > > > cost is worth the gain (= increased security).
 > >
 > > Most of the current systems today are able to handle both types of
 > > sequences.   It really is a small processing hit, FreeBSD already does
 > > some bufferring with proper safeguards/maximums for various
 > > traffic patterns.
 > >
 > > I would suspect some NFS/udp interoperability problems with the way it
 > > handles fragments right now.
 > >
 > > --
 > > othermark
 > > atkin901 at nospam dot yahoo dot com
 > > (!wired)?(coffee++):(wired);
 > >
 > > _______________________________________________
 > > freebsd-current at freebsd.org mailing list
 > > http://lists.freebsd.org/mailman/listinfo/freebsd-current
 > > To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
 > 
 > -- 
 > /"\  Best regards,			| mlaier at freebsd.org
 > \ /  Max Laier				| ICQ #67774661
 >  X   http://pf4freebsd.love2party.net/	| mlaier at EFnet
 > / \  ASCII Ribbon Campaign		| Against HTML Mail and News

Best Regards,
Pyun YongHyeon
-- 
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>

More information about the freebsd-pf mailing list