Hugo Koji Kobayashi wrote:
Hello,
While making some tests with fragmented udp DNS responses (with
EDNS0), we discovered a possible problem with ipf and pf in FreeBSD
6.2 and 7.0 (200705 snapshot).
Our test is a DNS query to an DNSSEC enabled server which replies with
a ~4KB udp response. We do this with the following dig command:
dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0
ipf and pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS
queries timeout. Disabling the firewall, complete replies are received
with no problem.
We've made the same tests with FreeBSD 4.11 with ipf and OpenBSD 4.1
with pf with no problems. You can see a summary of the tests below.
OS + fw dig result
fbsd4.11 + ipf OK
obsd4.1 + pf OK
fbsd6.2 OK
fbsd6.2 + ipf timeout
fbsd6.2 + pf timeout
fbsd7.0 OK
fbsd7.0 + ipf timeout
fbsd7.0 + pf timeout
Complete test results (including tcpdump output and firewall rule
sets) are attached.
Can somebody tell us if he hit a bug or if there is something we are
missing?
By the looks of it, you hit a bug.
"scrub in all fragment reassemble" should reassemble good fragments
before evaluating the rules.
--
Sten Daniel Soersdal
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
