On Tue, Jun 7, 2011 at 3:50 PM, Gary Palmer <gpal...@freebsd.org> wrote: > Hi, > > I noticed after running test-ipv6.com at home that I was getting > > 2011-06-07 20:35:55.588335 rule 279/0(match): block in on gif0: > 2001:4998:0:6::11 > <my IP>: frag (0|1424) 80 > 62594: . 0:1392(1392) ack 1 > win 8211 <nop,nop,timestamp 3656890291 1004528553> > 2011-06-07 20:35:55.588521 rule 279/0(match): block in on gif0: > 2001:4998:0:6::11 > <my IP>: frag (1424|16) > > on my FreeBSD 7.3-RELEASE firewall. "man pf.conf" says > > Currently, only IPv4 fragments are supported and IPv6 fragments are > blocked unconditionally. > > Is this correct? If so, what is the correct way of getting IPv6 fragmented > packets through a pf firewall, or which version of FreeBSD introduces a PF > version that natively handles IPv6 fragments? > > Thanks, > > Gary
Unless I'm mistaken, there shouldn't be any fragments for IPv6, at least nothing traversing IPv6-capable routers. MTU path-discovery is supposed to take care of that and any fragmentation is supposed to be done on the sending host once path-discovery determines the correct MTU. http://en.wikipedia.org/wiki/IPv6_packet#Fragmentation -Proto _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"