Hi All, I'm thinking about how I can debug this problem. I enable logging for blocked packets (block log-all all). My pf.conf looks approximately so:
scrub in on wlan0 all rdr on wlan0 proto udp from any to (self) port 9870 -> 192.168.0.1 port 9870 block log-all all pass on wlan0 all The fragmented packets are not redirected to 192.168.0.1, but they are also not blocked since I don't see them in logs (with tcpdump -i pflog0). Where do they disappear? Are they just silently discarded by pf? I also tried to add "log-all" to the scrub rule: scrub in log-all on wlan0 all --> I don't see anything from this rule in the logs as well! My another question is about the option "set debug <level>" that one can write at the beginning of the pf.conf. What is this debug level for? I thought that there is only one way to debug pf rules: with this "log"/"log-all" keyword and pflog0 interface. Is this debug level some other kind of debugging? When I write the option "set debug none" in the pf.conf, I still can see all packets logged at the pflog0 interface. So, is it something different? Thanks! Aleksej. -----Ursprüngliche Nachricht----- Von: Spenst, Aleksej Gesendet: Dienstag, 14. Oktober 2014 16:03 An: Kristof Provost Cc: freebsd-pf@freebsd.org Betreff: AW: Fragmented packets are not redirected Hi Kristof, Thank you for your answer. I read that "fragment reassemble" is the default behavior of scrub. So, "scrub in" and "scrub in fragment reassemble" is the same. But just to be sure I've also tried it already -> didn't help. Regards, Aleksej. -----Ursprüngliche Nachricht----- Von: Kristof Provost [mailto:kris...@sigsegv.be] Gesendet: Dienstag, 14. Oktober 2014 15:57 An: Spenst, Aleksej Cc: freebsd-pf@freebsd.org Betreff: Re: Fragmented packets are not redirected On 2014-10-14 09:33:44 (+0000), Spenst, Aleksej <aleksej.spe...@harman.com> wrote: > It is clear that if the IP fragments are not reassembled at the server > they cannot be redirected since the redirection rule is written for > UDP packets. That is why I have this scrub rule at the very beginning > of my pf.conf: > > scrub in on wlan0 all > > I thought that this rule should reassemble all the incoming fragments. > The reassembled UDP packets should be then correctly passed through > the rdr rule and redirected to my PC. But this does not happen. > I think that you want 'scrub in on wlan0 all fragment reassemble'. Regards, Kristof Von: Spenst, Aleksej Gesendet: Dienstag, 14. Oktober 2014 11:34 An: freebsd-pf@freebsd.org Betreff: Fragmented packets are not redirected Hi All, I have one problem with redirection of the fragmented packets. My use case: A mobile phone sends the RTP video stream to my server. The server has the pf installed. All RTP packets are redirected from the server to my PC: |Mobile|------>---RTP---->-----|Server|------->---RTP--->-----|PC| The small RTP packets are redirected to my PC without any problems. The problem is with the large RTP packets that are fragmented and transmitted in several IP fragments. These IP fragments are not redirected to PC. The redirection rule at the server: rdr on wlan0 proto udp from any to (self) port 9870 -> 192.168.0.1 port 9870 | S e r v e r | ->--|wlan0 eth0|-->-------|PC 192.168.0.1| It is clear that if the IP fragments are not reassembled at the server they cannot be redirected since the redirection rule is written for UDP packets. That is why I have this scrub rule at the very beginning of my pf.conf: scrub in on wlan0 all I thought that this rule should reassemble all the incoming fragments. The reassembled UDP packets should be then correctly passed through the rdr rule and redirected to my PC. But this does not happen. Do you have any ideas/tips? Thanks a lot! Aleksej. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
