Dear All
On Tue, 7 Jun 2011, Gary Palmer wrote:
Hi,
I noticed after running test-ipv6.com at home that I was getting
2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 > <my
IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 win 8211 <nop,nop,timestamp
3656890291 1004528553>
2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: 2001:4998:0:6::11 >
<my IP>: frag (1424|16)
on my FreeBSD 7.3-RELEASE firewall. "man pf.conf" says
Currently, only IPv4 fragments are supported and IPv6 fragments are
blocked unconditionally.
Is this correct? If so, what is the correct way of getting IPv6 fragmented
packets through a pf firewall, or which version of FreeBSD introduces a PF
version that natively handles IPv6 fragments?
Yes, PF did not support IPv6 fragmentation. In IPv6 the fragmentation is
done in extension headers, which is not very well supported in either
version of PF. Extension headers are very complicated to parse (and
reassembly should be take place on for scrubbing!) , therefore probably PF
implementors decided to write the support later when there is a need for
it.
However the situation not so bad. We are using PF on FreeBSD since 2005
(FreeBSD 6.x, 7.x 8.x) with IPv6 enabled and we have no complain about
that PF is unconditionally dropping packets with fragmentation extension.
OpenBSD pf in FreeBSD 8.2 still don't have support for IPv6 fragmentation
header.
Thanks,
Gary
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
