[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Dropping fragmented ICMP echo-reply packets sourced from Solaris?



I've noticed frag'd ICMP echo-replies being dropped by "scrub in" when
they come from a Solaris host.   Is this a known issue?
On a related note, is there any way to log packets dropped by "scrub"?
Doing  'ping -s 1473 target', if the target is a Cisco router or a BSD
machine, the reply packets are accepted and ping shows success, but
the exact same ping command transmitting to Solaris 9/Sparc will fail;
tcpdump shows the packets being received by OpenBSD
My pf.conf includes a "scrub in" command. Replacing the line with a
explicit scrub command of either "scrub in all fragment reassemble" or
"scrub in all fragment crop" does not change the behavior.
If I comment out the pf.conf line "scrub in", then *ALL* fragmented
ping replies fail and the frags logged by pflog as dropped packets;
with scrub enabled, only the replies coming from a Solaris machine are
dropped.  This does not appear to be an out-of-order frag problem (see
tcpdump info below).
If I run "sudo ping -c 2 -s 1473 target-solaris", the ping fails:
PING target-solaris (172.25.151.72): 1473 data bytes
--- 172.25.151.72 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
And during that time, "tcpdump -tttt -s 1518 icmp" shows this:
1112315188.969521 172.25.109.31 > 172.25.151.72: icmp: echo request
(frag 41696:[email protected]+)
0.000004 172.25.109.31 > 172.25.151.72: (frag 41696:[email protected])
0.001356 172.25.151.72 > 172.25.109.31: icmp: echo reply (frag
57180:[email protected]+) (DF)
0.000004 172.25.151.72 > 172.25.109.31: (frag 57180:[email protected]) (DF)
0.999910 172.25.109.31 > 172.25.151.72: icmp: echo request (frag 47724:[email protected]+)
0.000004 172.25.109.31 > 172.25.151.72: (frag 47724:[email protected])
0.001241 172.25.151.72 > 172.25.109.31: icmp: echo reply (frag
57181:[email protected]+) (DF)
0.000003 172.25.151.72 > 172.25.109.31: (frag 57181:[email protected]) (DF)
###############################
# pf.conf
#
int_if="em0"
TCPState="flags S/SA keep state"
table <TRUSTED>   persist
scrub in
block in
block in log on $int_if
pass out keep state
pass out quick on $int_if inet proto tcp from any to any $TCPState
pass in quick on lo
antispoof quick for lo
pass in quick on $int_if proto tcp from <TRUSTED> to any port ssh $TCPState
pass in quick on $int_if proto tcp from  any  to any port www $TCPState
pass in quick inet proto icmp from any to any icmp-type echoreq keep state
###EOF###
Thanks,
Kevin Kadow