very odd PF + FreeBSD6.0 problems
Paul Dokas
dokas at oitsec.umn.edu
Fri Dec 16 11:34:31 PST 2005
On Fri, 16 Dec 2005 19:34:47 +0100 Daniel Hartmeier <daniel at benzedrine.cx> wrote:
> The additional checks are automatically enabled when using "reassemble
> tcp", which explains why the same ruleset didn't block the packets on
> 5.4 but now does on 6.0. You can disable "reassemble tcp" and the new
> (and old) TCP checks won't run. See the updated pf.conf(5) man page for
> a full list of checks that this feature enables/disables.
I can confirm this. I'm now running with PF enable and the following scrub rule:
scrub all fragment reassemble
The previous rule was 'scrub all reassemble tcp' and was the source(?) of the problem.
I'm still digging to find where the problem is located. It's rather slow going as
we have a fairly diverse and complex network installation. The one place that I'm
currently looking at is the FreeBSd 5.4 machine acting as a bridging firewall that
is immediately upstream from me.
Paul
--
Paul Dokas dokas at oitsec.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
More information about the freebsd-pf
mailing list