On Fri, 16 Dec 2005 19:34:47 +0100 Daniel Hartmeier <[EMAIL PROTECTED]> wrote: > The additional checks are automatically enabled when using "reassemble > tcp", which explains why the same ruleset didn't block the packets on > 5.4 but now does on 6.0. You can disable "reassemble tcp" and the new > (and old) TCP checks won't run. See the updated pf.conf(5) man page for > a full list of checks that this feature enables/disables.
I can confirm this. I'm now running with PF enable and the following scrub rule: scrub all fragment reassemble The previous rule was 'scrub all reassemble tcp' and was the source(?) of the problem. I'm still digging to find where the problem is located. It's rather slow going as we have a fairly diverse and complex network installation. The one place that I'm currently looking at is the FreeBSd 5.4 machine acting as a bridging firewall that is immediately upstream from me. Paul -- Paul Dokas dokas at oitsec.umn.edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
