Kevin wrote:
I've noticed frag'd ICMP echo-replies being dropped by "scrub in" whenOh Yeah,
they come from a Solaris host. Is this a known issue?
That's a long time annoyance of the scrub code, which (wrongly IMO, but others
disagree) drops fragments which have the "DF" bit set. You'll get the same problem
with fragmented UDP packets from Solaris and Linux (typical with NFS)
Cedric
On a related note, is there any way to log packets dropped by "scrub"?
Doing 'ping -s 1473 target', if the target is a Cisco router or a BSD machine, the reply packets are accepted and ping shows success, but the exact same ping command transmitting to Solaris 9/Sparc will fail; tcpdump shows the packets being received by OpenBSD
My pf.conf includes a "scrub in" command. Replacing the line with a explicit scrub command of either "scrub in all fragment reassemble" or "scrub in all fragment crop" does not change the behavior.
If I comment out the pf.conf line "scrub in", then *ALL* fragmented ping replies fail and the frags logged by pflog as dropped packets; with scrub enabled, only the replies coming from a Solaris machine are dropped. This does not appear to be an out-of-order frag problem (see tcpdump info below).
If I run "sudo ping -c 2 -s 1473 target-solaris", the ping fails: PING target-solaris (172.25.151.72): 1473 data bytes --- 172.25.151.72 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss
And during that time, "tcpdump -tttt -s 1518 icmp" shows this: 1112315188.969521 172.25.109.31 > 172.25.151.72: icmp: echo request (frag 41696:[EMAIL PROTECTED]) 0.000004 172.25.109.31 > 172.25.151.72: (frag 41696:[EMAIL PROTECTED]) 0.001356 172.25.151.72 > 172.25.109.31: icmp: echo reply (frag 57180:[EMAIL PROTECTED]) (DF) 0.000004 172.25.151.72 > 172.25.109.31: (frag 57180:[EMAIL PROTECTED]) (DF) 0.999910 172.25.109.31 > 172.25.151.72: icmp: echo request (frag 47724:[EMAIL PROTECTED]) 0.000004 172.25.109.31 > 172.25.151.72: (frag 47724:[EMAIL PROTECTED]) 0.001241 172.25.151.72 > 172.25.109.31: icmp: echo reply (frag 57181:[EMAIL PROTECTED]) (DF) 0.000003 172.25.151.72 > 172.25.109.31: (frag 57181:[EMAIL PROTECTED]) (DF)
############################### # pf.conf # int_if="em0"
TCPState="flags S/SA keep state"
table <TRUSTED> persist
scrub in
block in block in log on $int_if
pass out keep state
pass out quick on $int_if inet proto tcp from any to any $TCPState
pass in quick on lo antispoof quick for lo
pass in quick on $int_if proto tcp from <TRUSTED> to any port ssh $TCPState pass in quick on $int_if proto tcp from any to any port www $TCPState
pass in quick inet proto icmp from any to any icmp-type echoreq keep state ###EOF###
Thanks,
Kevin Kadow
