Hugo Koji Kobayashi wrote:
Hello,
While making some tests with fragmented udp DNS responses (with
EDNS0), we discovered a possible problem with ipf and pf in FreeBSD
6.2 and 7.0 (200705 snapshot).
Our test is a DNS query to an DNSSEC enabled server which replies with
a ~4KB udp response. We do
Ok. I understand that, but in FreeBSD 4.11 it works and without the
"keep frags" the query is blocked. Is it just a misbehaviour of
an old ipf version?
And there is also the different behaviour of pf under OpenBSD. As I
understand, the "scrub" rule should reassemble the fragments and pass
the comp
>
> This should be rejected as "keep frags" is meaningless here.
>
> pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53
> keep state keep frags
>
> You need
>
> pass in quick from any to any with frag keep frag
The reason is that "ip
This should be rejected as "keep frags" is meaningless here.
pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53
keep state keep frags
You need
pass in quick from any to any with frag keep frag
--
Mark Andrews, ISC
1 Seymour St., Dun
Hello,
While making some tests with fragmented udp DNS responses (with
EDNS0), we discovered a possible problem with ipf and pf in FreeBSD
6.2 and 7.0 (200705 snapshot).
Our test is a DNS query to an DNSSEC enabled server which replies with
a ~4KB udp response. We do this with the following dig
