Penned by Jonas Thambert on 20091210 9:39.33, we have: | Like a month ago we got a complain from a user that our website | was unreachable over IPv6. We have 2x Native Ipv6 transits. The user | had bought IPv6 from an ISP thay uses tunneling to deliver it | to the organization. After some packet traces we found out that the | problem was in PF and that it doesn't seem to handle fragmented IPv6 | packets. | | Sure enough, from the man page of pf.conf: | | "Currently, only IPv4 fragments are supported and IPv6 fragments are | blocked unconditionally." | | The problem is that some of Swedens largest ISPs uses tunneling for IPv6 | to their customers so we can't just say, ditch em. Terredo seems to work fine. | | Is there a workaround or plans to implement support for this is pf? We have multiple | firewalls and the others have no problems with ipv6 + fragmented packets. | | | //Jonas
Somehow I think Stuart's approach with mss clamping would be better than letting fragments through like the example pf.conf in the below url.. http://ipv6samurai.blogspot.com/2009/12/technical-quickstart-for-ipv6.html As far as the real fix goes, I botched a revamp of some v6 fragment reassembly that was backed out a few years back, and passed it to another developer who spent some time on it while we were at n2k9, but has not had time to finish it. FWIW. -- Todd Fries .. t...@fries.net _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
