On Tuesday 21 September 2010, Stuart Henderson wrote:
> On 2010/09/20 12:02, Einar Lvnn wrote:
> > Hi again,
> >
> > Sorry for asking this, but;
> >
> > Did you really test the no-df option in the case where *all*
> > UDP-fragments have DF set? It seems to work fine when "some" have the
> > flag.
>
> I couldn't get it to work with your example command line either..
When you are using a match rule with scrub (no-df), the no-df is not processed
until the rule is actually applied to a packet. With fragments this does not
happen - they are reassembled first. Since the current code does not allow
fragments to enter the fragment cache with the DF flag set, they get dropped.
If you change your PF log level to notice - (`pfctl -x notice` or 'set log
notice') then you will see messages like the following when this happens:
Sep 21 01:25:40 router /bsd: pf: IP_DF
Sep 21 01:25:40 router /bsd: pf: dropping bad fragment
Sep 21 01:25:40 router /bsd: pf: IP_DF
Sep 21 01:25:40 router /bsd: pf: dropping bad fragment
If you want to clear the DF flag so that these fragments can be reassembled
then you need to enable no-df for reassembly with the following:
set reassemble yes no-df
This will then clear the DF flag, place the fragments in the fragment cache
and reassemble the IP datagram, before applying your PF ruleset.
--
"Stop assuming that systems are secure unless demonstrated insecure;
start assuming that systems are insecure unless designed securely."
- Bruce Schneier
