On Tuesday 21 September 2010, Stuart Henderson wrote: > On 2010/09/20 12:02, Einar Lvnn wrote: > > Hi again, > > > > Sorry for asking this, but; > > > > Did you really test the no-df option in the case where *all* > > UDP-fragments have DF set? It seems to work fine when "some" have the > > flag. > > I couldn't get it to work with your example command line either..
When you are using a match rule with scrub (no-df), the no-df is not processed until the rule is actually applied to a packet. With fragments this does not happen - they are reassembled first. Since the current code does not allow fragments to enter the fragment cache with the DF flag set, they get dropped. If you change your PF log level to notice - (`pfctl -x notice` or 'set log notice') then you will see messages like the following when this happens: Sep 21 01:25:40 router /bsd: pf: IP_DF Sep 21 01:25:40 router /bsd: pf: dropping bad fragment Sep 21 01:25:40 router /bsd: pf: IP_DF Sep 21 01:25:40 router /bsd: pf: dropping bad fragment If you want to clear the DF flag so that these fragments can be reassembled then you need to enable no-df for reassembly with the following: set reassemble yes no-df This will then clear the DF flag, place the fragments in the fragment cache and reassemble the IP datagram, before applying your PF ruleset. -- "Stop assuming that systems are secure unless demonstrated insecure; start assuming that systems are insecure unless designed securely." - Bruce Schneier