From owner-freebsd-pf@FreeBSD.ORG Wed Jun 8 08:06:24 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FB33106564A; Wed, 8 Jun 2011 08:06:24 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [IPv6:2001:738:0:411::241]) by mx1.freebsd.org (Postfix) with ESMTP id 201EE8FC0A; Wed, 8 Jun 2011 08:06:24 +0000 (UTC) Received: from bolha.lvs.iif.hu (bolha.lvs.iif.hu [193.225.14.181]) by mail.ki.iif.hu (Postfix) with ESMTP id 12E008755F; Wed, 8 Jun 2011 10:06:23 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at bolha.lvs.iif.hu Received: from mail.ki.iif.hu ([IPv6:::ffff:193.6.222.241]) by bolha.lvs.iif.hu (bolha.lvs.iif.hu [::ffff:193.225.14.72]) (amavisd-new, port 10024) with ESMTP id vD0mXVFPVcd1; Wed, 8 Jun 2011 10:06:19 +0200 (CEST) Received: by mail.ki.iif.hu (Postfix, from userid 9002) id 8BCF28754A; Wed, 8 Jun 2011 10:06:19 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 8371D87541; Wed, 8 Jun 2011 10:06:19 +0200 (CEST) Date: Wed, 8 Jun 2011 10:06:19 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Gary Palmer In-Reply-To: <20110607195057.GA37735@in-addr.com> Message-ID: References: <20110607195057.GA37735@in-addr.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: freebsd-pf@freebsd.org Subject: Re: IPv6 day, PF and IPv6 fragments X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jun 2011 08:06:24 -0000 Dear All On Tue, 7 Jun 2011, Gary Palmer wrote: > Hi, > > I noticed after running test-ipv6.com at home that I was getting > > 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > : frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 win 8211 > 2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > : frag (1424|16) > > on my FreeBSD 7.3-RELEASE firewall. "man pf.conf" says > > Currently, only IPv4 fragments are supported and IPv6 fragments are > blocked unconditionally. > > Is this correct? If so, what is the correct way of getting IPv6 fragmented > packets through a pf firewall, or which version of FreeBSD introduces a PF > version that natively handles IPv6 fragments? Yes, PF did not support IPv6 fragmentation. In IPv6 the fragmentation is done in extension headers, which is not very well supported in either version of PF. Extension headers are very complicated to parse (and reassembly should be take place on for scrubbing!) , therefore probably PF implementors decided to write the support later when there is a need for it. However the situation not so bad. We are using PF on FreeBSD since 2005 (FreeBSD 6.x, 7.x 8.x) with IPv6 enabled and we have no complain about that PF is unconditionally dropping packets with fragmentation extension. OpenBSD pf in FreeBSD 8.2 still don't have support for IPv6 fragmentation header. > > Thanks, > > Gary > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >