On Fri, 07 Mar 2003, Daniel Hartmeier wrote:
> Your ruleset looks fine, that's exactly how it should work (rdr on
> external, nat on internal, scrub on both).
That's good to know. Would "scrub in all" work just as well as "scrub
in on {$ExtIf, $IntIf} all fragment reassemble"?
> It must be somehow related to the fragmentation. For some reason, the pf
> box is not reassembling the fragments. To determine the reason, can you
>
> a) enable debug logging with pfctl -x m, and check /var/log/messages
> for entries related to pf fragment reassembly? Ideally, quote all
> lines related to one packet's fragments being reassembled.
A few of these lines were repeated in /var/log/messages. Here they are
without the repeats.
pf_normalize_ip: IP_DF
pf_normalize_ip: dropping bad fragment
Mar 7 15:20:02 reflect /bsd: pf_normalize_ip: IP_DF
Mar 7 15:20:02 reflect /bsd: pf_normalize_ip: dropping bad fragment
>
> b) get a tcpdump -nvvvXSpi $IntIF output from the pf box for all
> fragments of a single packet.
>
> One possible explanation would be if the fragments have the DF (don't
> fragment) flag set.
Indeed, it does. I took a look at the tcpdump and the fragments do have
the DF flag set.
> pf, prior to -current as of a few weeks ago, drops
> them unconditionally. If that's the problem, you could try a snapshot
> (which is stable, now that we approach 3.3-release). If not, hopefully
> the additional output from above shows something.
Excellent. Thank you for the help. I'll try -current and see how that
turns out. If it's still a problem, I'll include the dumped packets,
but I think you found the issue.
Thanks again,
pete
