Max Laier wrote:
> On Friday 29 June 2007, Max Laier wrote:
> Does anyone know of a tool to generate nasty fragments to really test
> this? Reordered / overlapping / etc. ?
I generally setup a chain using /usr/ports/security/fragrouter
[server]<->[A fragrouter box B]<->[Device under test]<->[cli
Max,
I have applied the patch, seems to be working fine, thank you.
Vadym Chepkov
- Original Message -
From: "Max Laier" <[EMAIL PROTECTED]>
To:
Cc: "Hugo Koji Kobayashi" <[EMAIL PROTECTED]>
Sent: Friday, June 29, 2007 9:04 AM
Subject: Re: udp fragme
On Friday 29 June 2007, Max Laier wrote:
> On Friday 29 June 2007, Pyun YongHyeon wrote:
> > On Thu, Jun 28, 2007 at 10:56:01PM +0200, Max Laier wrote:
> > > > > The only thing common about your setup seems to be the bge(4)
> > > > > NIC. Can you try disabling hardware checksumming (ifconfig
> >
On Friday 29 June 2007, Pyun YongHyeon wrote:
> On Thu, Jun 28, 2007 at 10:56:01PM +0200, Max Laier wrote:
> > [ Please don't top post, fixed ]
> >
> > On Thursday 28 June 2007, Vadym Chepkov wrote:
> > > From: "Max Laier" <[EMAIL PROTECTED]>, Thursday, June 28, 2007
> > > 3:34 PM
> > >
> >
On Thu, Jun 28, 2007 at 10:56:01PM +0200, Max Laier wrote:
> [ Please don't top post, fixed ]
>
> On Thursday 28 June 2007, Vadym Chepkov wrote:
> > From: "Max Laier" <[EMAIL PROTECTED]>, Thursday, June 28, 2007 3:34 PM
> > > On Thursday 28 June 2007, Hugo Koji Kobayashi wrote:
> > > > On Th
[ Please don't top post, fixed ]
On Thursday 28 June 2007, Vadym Chepkov wrote:
> From: "Max Laier" <[EMAIL PROTECTED]>, Thursday, June 28, 2007 3:34 PM
> > On Thursday 28 June 2007, Hugo Koji Kobayashi wrote:
> > > On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote:
> > > > Just to confirm
On Thu, Jun 28, 2007 at 09:34:18PM +0200, Max Laier wrote:
> On Thursday 28 June 2007, Hugo Koji Kobayashi wrote:
> > On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote:
> > dig @a.ns.se se dnskey +dnssec +bufsize=4500
> >
> > This query is supposed to receive a DNS answer of more than 4KB
Yes, this eliminated the issue. Bug in bge driver?
- Original Message -
From: "Max Laier" <[EMAIL PROTECTED]>
To: "Hugo Koji Kobayashi" <[EMAIL PROTECTED]>
Cc: ; "Vadym Chepkov" <[EMAIL PROTECTED]>
Sent: Thursday, June 28, 2007 3:34 PM
On Thursday 28 June 2007, Hugo Koji Kobayashi wrote:
> On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote:
> > Just to confirm I'm testing the right
> > cases, my setup looks like:
> >
> > Host1 Host2 Host3
> >
> > netsend -> pf scrub -> pf scrub -> netreceive
>
> I'm not sure I u
I concur, this command doesn't work from my server with PF running as well,
so it's easily reproducible.
dig @a.ns.se se dnskey +dnssec +bufsize=4500
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To un
Hi Max,
On Thu, Jun 28, 2007 at 07:19:25PM +0200, Max Laier wrote:
> On Monday 04 June 2007, Max Laier wrote:
> > Hi again,
> >
> > On Monday 04 June 2007, Hugo Koji Kobayashi wrote:
> > > pf is running on the DNS client machine. The DNS server is on a
> > > completely different network (I don't c
Mine is SmartMicro server, AMD opteron, bge interfaces
head /etc/make.conf
CPUTYPE=opteron
CFLAGS= -O -pipe
COPTFLAGS= -O -pipe
MAKEOPTS="-j4"
bge1: flags=8843 mtu 1500
options=1b
inet 192.168.17.1 netmask 0xff00 broadcast 192.168.17.255
ether 00:30:48:5c:27:ad
m
On Monday 04 June 2007, Max Laier wrote:
> Hi again,
>
> On Monday 04 June 2007, Hugo Koji Kobayashi wrote:
> > pf is running on the DNS client machine. The DNS server is on a
> > completely different network (I don't control this server). The
> > client can send the udp request with no problem (it
Max,
Have you had a chance to look into udp fragmentation problem (posting on
June, 4th). I don't see the problem listed in regular bug report, do I need
to submit a new one?
Just to remind what the problem is: after scrubbing fragmented UDP packet
gets dropped by kernel due to a bad che
Max,
This is exactly the same problem I have experienced before and I wrote it in
"Scrub problem" note on April, 14
I see amanda packets get lost after normalization and you are right, this is
exactly what happening - bad checksum for reassembled UDP packets:
$ netstat -ssp udp
udp:
1
Hi,
Yes. It increments every time I run that dig command. Before this
test, I had run it twice.
Regards,
Hugo
On Mon, Jun 04, 2007 at 10:00:03PM +0200, Max Laier wrote:
> Hi again,
>
> On Monday 04 June 2007, Hugo Koji Kobayashi wrote:
> > pf is running on the DNS client machine. The DNS server
Hi again,
On Monday 04 June 2007, Hugo Koji Kobayashi wrote:
> pf is running on the DNS client machine. The DNS server is on a
> completely different network (I don't control this server). The client
> can send the udp request with no problem (it's a small udp datagram;
> less than 512 bytes), the
Hi Max,
pf is running on the DNS client machine. The DNS server is on a
completely different network (I don't control this server). The client
can send the udp request with no problem (it's a small udp datagram;
less than 512 bytes), the server sends the udp response fragmented,
but the client can
Hi Hugo,
On Thursday 31 May 2007, Hugo Koji Kobayashi wrote:
> Please find attached the tests results after enabling extended
> logging.
>
> I've done the test twice, changing dig's "+bufsize" parameter.
looking at your log file, it seems that the packet traverses pf alright:
> Console begi
Hi Max,
Please find attached the tests results after enabling extended
logging.
I've done the test twice, changing dig's "+bufsize" parameter.
Thanks,
Hugo
On Wed, May 30, 2007 at 10:02:03AM +0200, Max Laier wrote:
> Hi Hugo,
>
> On Tuesday 29 May 2007 00:42, Hugo Koji Kobayashi wrote:
> > Whi
Hi Hugo,
On Tuesday 29 May 2007 00:42, Hugo Koji Kobayashi wrote:
> While making some tests with fragmented udp DNS responses (with
> EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and
> 7.0 (200705 snapshot).
>
> Our test is a DNS query to an DNSSEC enabled server which replies w
Hello,
While making some tests with fragmented udp DNS responses (with
EDNS0), we discovered a possible problem with pf in FreeBSD 6.2 and
7.0 (200705 snapshot).
Our test is a DNS query to an DNSSEC enabled server which replies with
a ~4KB udp response. We do this with the following dig command:
22 matches
Mail list logo
