Hey, I've installed unbound into a jail to use it as a nameserver. After setting up PF to allow UDP fragments to the jail's IPv6 address, I still saw PF dropping the UDP fragment packages arriving to and from my jail. According to the pf.conf readme, the IP header of the fragmented packets still contain the protocol type (TCP/UDP), but not the port number. I hope it's not a documentation bug.
Here are the pflog dump lines, showing what packages where dropped: 22:23:29.997907 rule 0/0(match): block in on em0: 2001:5a0:10::1 > 2a91:4f84:13a5:509f::32: frag (0|1232) 53 > 5494: [|udp] 22:23:29.997913 rule 0/0(match): block in on em0: 2001:5a0:10::1 > 2a91:4f84:13a5:509f::32: frag (1232|224) 22:23:30.401494 rule 0/0(match): block in on lo0: 2a91:4f84:13a5:509f::32 > 2a91:4f84:13a5:509f::32: frag (0|1232) 53 > 14204: [|udp] 22:23:30.401496 rule 0/0(match): block in on lo0: 2a91:4f84:13a5:509f::32 > 2a91:4f84:13a5:509f::32: frag (1232|425) After a couple hours, I figured out that the culprit in the PF ruleset is the 'proto udp' definition. Here are the working rules: pass on $int_if inet6 proto tcp from any to $unbound_jail_ip6 port 53 keep state pass on $ext_if inet6 from any to $unbound_jail_ip6 keep state fragment pass on $int_if inet6 proto udp from any to $unbound_jail_ip6 port 53 keep state pass on $int_if inet6 from any to $unbound_jail_ip6 keep state fragment Referred part of the pf.conf readme: https://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=5&manpath=FreeBSD+12.0-RELEASE+and+Ports&arch=default&format=html#end Cheers, -- László Károlyi https://linkedin.com/in/karolyi
signature.asc
Description: OpenPGP digital signature
