[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF/NAT UDP fragment problem



On Fri, Mar 07, 2003 at 03:27:06PM -0500, Pete Toscano wrote:
> That's good to know.  Would "scrub in all" work just as well as "scrub
> in on {$ExtIf, $IntIf} all fragment reassemble"?
Yes, 'fragment reassemble' is the default, so both do the same thing
(unless you have additional interfaces that you don't want to scrub on,
of course). If you load 'scrub in all' and then display the loaded rules
(with pfctl -sr), you'll see that it gets loaded as 'fragment
reassemble'.
> Mar  7 15:20:02 reflect /bsd: pf_normalize_ip: IP_DF
> Mar  7 15:20:02 reflect /bsd: pf_normalize_ip: dropping bad fragment
Ok, that's it, then.
> Excellent.  Thank you for the help.  I'll try -current and see how that
> turns out.  If it's still a problem, I'll include the dumped packets,
> but I think you found the issue.
With a recent snapshot, add 'no-df' to your scrub rule(s), and pf will
strip the IP_DF flag before reassembly, so the packets can get
reassembled. The snapshots on the ftp mirrors already include that
change.
Daniel