Date: Mon, 23 May 2016 18:20:18 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Message-ID: <bug-207598-17777-B6sVPbIII9@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-207598-17777@https.bugs.freebsd.org/bugzilla/> References: <bug-207598-17777@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 Max <maximos@als.nnov.ru> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |maximos@als.nnov.ru --- Comment #3 from Max <maximos@als.nnov.ru> --- I have reproduced the problem. I think we shouldn't use scrub rule without "in" option. I.e. rule should be scrub *in* on gre0 ... Without "in" this rule is triggered twice ("B" <--> "C"): for outgoing *fragmented* echo request and for incoming fragmented echo reply. As a resu= lt, the length of the received echo request exceeds the MTU on "C" box. I think= it is not good. PF.CONF(5): "Traffic normalization is used to sanitize packet content in su= ch a way that there are no ambiguities in packet interpretation on the receiving side. The normalizer does IP fragment reassembly to prevent attacks that confuse intrusion detection systems by sending overlapping IP fragments." Do we really need "max-mss 1360" on outgoing flow? However, appearance of "Destination Host Unreachable" remains unclear to me= . It is routing stuff. Need to do some research. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207598-17777-B6sVPbIII9>