Date: Mon, 28 May 2007 19:42:25 -0300 From: Hugo Koji Kobayashi <koji@registro.br> To: freebsd-pf@freebsd.org Subject: udp fragmentation Message-ID: <20070528224225.GC40678@registro.br>
next in thread | raw e-mail | index | archive | help
Hello, While making some tests with fragmented udp DNS responses (with EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and 7.0 (200705 snapshot). Our test is a DNS query to an DNSSEC enabled server which replies with a ~4KB udp response. We do this with the following dig command: dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0 pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS queries timeout. Disabling the firewall, complete replies are received with no problem. The same test was run on an OpenBSD 4.1 box with no problem. Complete test results were sent to the freebsd-stable and freebsd-net mailing lists and can be found here: http://lists.freebsd.org/pipermail/freebsd-stable/2007-May/035154.html (The email message above includes tests with ipf) pf rules looks like this in all tests: scrub in all fragment reassemble block drop in log all pass in log on bge0 inet proto tcp from xxx.xxx.xxx.81 to xxx.xxx.xxx.87 port = ssh flags S/SA keep state pass out on bge0 proto tcp all flags S/SA keep state pass out on bge0 proto udp all keep state pass out on bge0 proto icmp all keep state Am I doing something wrong? Is there anything else I should try on FreeBSD? Thanks, Hugo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070528224225.GC40678>