On 1 Sep 2019, at 2:31, László Károlyi wrote:
On 2019-08-31 23:10, Kristof Provost wrote:
On 2019-08-31 22:42:59 (+0200), László Károlyi <las...@karolyi.hu>
wrote:
Hey,
I've installed unbound into a jail to use it as a nameserver. After
setting up PF to allow UDP fragments to the jail's IPv6 address, I
still
saw PF dropping the UDP fragment packages arriving to and from my
jail.
According to the pf.conf readme, the IP header of the fragmented
packets
still contain the protocol type (TCP/UDP), but not the port number.
I
hope it's not a documentation bug.
You really, really want to have pf reassemble packets prior to
filtering.
Use 'scrub all fragment reassemble'.
can I get an explanation/argument as to why, and what implications it
has when I don't enable it?
From man pf.conf:
fragment reassemble
Using scrub rules, fragments can be reassembled by
normalization. In
this case, fragments are buffered until they form a complete
packet,
and only the completed packet is passed on to the filter.
The
advantage is that filter rules have to deal only with
complete
packets, and can ignore fragments. The drawback of caching
fragments
is the additional memory cost.
Basically that means that pf gets to look at the complete packet, and it
can make decisions about the complete packet as well. So rather than
choosing between dropping all fragments or allowing **all** UDP/TCP
traffic (because attackers can just fragment to hide the port numbers)
you get to enforce your policies.
Regards,
Kristof
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
