subject:"udp fragmentation with pf\/ipf"

Re: udp fragmentation with pf/ipf

2007-05-31 Thread Sten Daniel Soersdal


Hugo Koji Kobayashi wrote:

Hello,

While making some tests with fragmented udp DNS responses (with
EDNS0), we discovered a possible problem with ipf and pf in FreeBSD
6.2 and 7.0 (200705 snapshot).

Our test is a DNS query to an DNSSEC enabled server which replies with
a ~4KB udp response. We do this with the following dig command:

 dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0

ipf and pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS
queries timeout. Disabling the firewall, complete replies are received
with no problem.

We've made the same tests with FreeBSD 4.11 with ipf and OpenBSD 4.1
with pf with no problems. You can see a summary of the tests below.

  OS + fwdig result
fbsd4.11 + ipf  OK
obsd4.1 + pfOK
fbsd6.2 OK
fbsd6.2 + ipf timeout
fbsd6.2 + pf  timeout
fbsd7.0 OK
fbsd7.0 + ipf timeout
fbsd7.0 + pf  timeout

Complete test results (including tcpdump output and firewall rule
sets) are attached.

Can somebody tell us if he hit a bug or if there is something we are
missing?



By the looks of it, you hit a bug.

"scrub in all fragment reassemble" should reassemble good fragments 
before evaluating the rules.


--
Sten Daniel Soersdal
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: udp fragmentation with pf/ipf

2007-05-18 Thread Hugo Koji Kobayashi

Ok. I understand that, but in FreeBSD 4.11 it works and without the
"keep frags" the query is blocked. Is it just a misbehaviour of
an old ipf version?

And there is also the different behaviour of pf under OpenBSD. As I
understand, the "scrub" rule should reassemble the fragments and pass
the complete packet on to the filter, making the response arrive to
the application. Am I wrong?

On Fri, May 18, 2007 at 09:50:58AM +1000, Mark Andrews wrote:
> 
> > 
> > This should be rejected as "keep frags" is meaningless here.
> > 
> > pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 
> > 53
> >  keep state keep frags
> > 
> > You need
> > 
> > pass in quick from any to any with frag keep frag
> 
>   The reason is that "ip" fragments not have next level headers. 
>   
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: udp fragmentation with pf/ipf

2007-05-17 Thread Mark Andrews


> 
>   This should be rejected as "keep frags" is meaningless here.
> 
> pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53
>  keep state keep frags
> 
>   You need
>   
>   pass in quick from any to any with frag keep frag

The reason is that "ip" fragments not have next level headers. 
  
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: udp fragmentation with pf/ipf

2007-05-17 Thread Mark Andrews


This should be rejected as "keep frags" is meaningless here.

pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53
 keep state keep frags

You need

pass in quick from any to any with frag keep frag
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

udp fragmentation with pf/ipf

2007-05-17 Thread Hugo Koji Kobayashi


Hello,

While making some tests with fragmented udp DNS responses (with
EDNS0), we discovered a possible problem with ipf and pf in FreeBSD
6.2 and 7.0 (200705 snapshot).

Our test is a DNS query to an DNSSEC enabled server which replies with
a ~4KB udp response. We do this with the following dig command:

 dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0

ipf and pf in FreeBSD 6.2 or 7.0 block the fragments and the DNS
queries timeout. Disabling the firewall, complete replies are received
with no problem.

We've made the same tests with FreeBSD 4.11 with ipf and OpenBSD 4.1
with pf with no problems. You can see a summary of the tests below.

  OS + fwdig result
fbsd4.11 + ipf  OK
obsd4.1 + pfOK
fbsd6.2 OK
fbsd6.2 + ipf timeout
fbsd6.2 + pf  timeout
fbsd7.0 OK
fbsd7.0 + ipf timeout
fbsd7.0 + pf  timeout

Complete test results (including tcpdump output and firewall rule
sets) are attached.

Can somebody tell us if he hit a bug or if there is something we are
missing?

Thanks,
Hugo

## FreeBSD 4.11 + ipfilter -> dig OK

fbsd4.11# uname -v
FreeBSD 4.11-RELEASE #0: Fri Jan 21 17:21:22 GMT 2005 [EMAIL 
PROTECTED]:/usr/obj/usr/src/sys/GENERIC 

fbsd4.11# ipf -V
ipf: IP Filter: v3.4.35 (336)
Kernel: IP Filter: v3.4.35  
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0

fbsd4.11# ipfstat -ion
@1 pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 
53 keep state keep frags
@2 pass out quick on bge0 proto tcp/udp from xxx.xxx.xxx.113/32 to any keep 
state
@3 pass out quick on bge0 proto icmp from xxx.xxx.xxx.113/32 to any keep state
@4 pass out quick on lo0 from any to any
@5 block out log from any to any
@1 pass in quick on bge0 proto tcp from xxx.xxx.xxx.81/32 to xxx.xxx.xxx.113/32 
port = 22 keep state
@2 pass in quick on lo0 from any to any
@3 block in log from any to any

fbsd4.11# tcpdump -i bge0 -np host 192.36.144.107
tcpdump: listening on bge0
09:46:16.546878 xxx.xxx.xxx.113.2897 > 192.36.144.107.53:  37118+ [1au] Type48? 
se. (31)
09:46:16.789319 192.36.144.107.53 > xxx.xxx.xxx.113.2897:  37118*- 8/10/24 
Type48[|domain] (frag 8851:[EMAIL PROTECTED])
09:46:16.789325 192.36.144.107 > xxx.xxx.xxx.113: udp (frag 8851:[EMAIL 
PROTECTED])
09:46:16.789331 192.36.144.107 > xxx.xxx.xxx.113: udp (frag 8851:[EMAIL 
PROTECTED])

fbsd4.11# grep 192.36.144.107 /var/log/messages
May 17 09:46:16 fbsd4.11 ipmon[54]: 09:46:16.546867 bge0 @0:1 p 
xxx.xxx.xxx.113,2897 -> 192.36.144.107,53 PR udp len 20 59 K-S K-F OUT
May 17 09:46:16 fbsd4.11 ipmon[54]: 09:46:16.789339 bge0 @0:1 p 
192.36.144.107,53 -> xxx.xxx.xxx.113,2897 PR udp len 20 1500 K-S K-F IN
May 17 09:46:16 fbsd4.11 ipmon[54]: 09:46:16.789347 bge0 @-1:-1 p 
192.36.144.107 -> xxx.xxx.xxx.113 PR udp len 20 (1500) (frag 8851:[EMAIL 
PROTECTED]) K-S K-F IN
May 17 09:46:16 fbsd4.11 ipmon[54]: 09:46:16.789353 bge0 @-1:-1 p 
192.36.144.107 -> xxx.xxx.xxx.113 PR udp len 20 (1154) (frag 8851:[EMAIL 
PROTECTED]) K-S K-F IN

fbsd4.11# /usr/local/bin/dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 
+retry=0

; <<>> DiG 9.4.1 <<>> @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37118
;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 10, ADDITIONAL: 24
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
[...]
;; Query time: 245 msec
;; SERVER: 192.36.144.107#53(192.36.144.107)
;; WHEN: Thu May 17 09:46:16 2007
;; MSG SIZE  rcvd: 4086




## FreeBSD 6.2 + no firewall -> dig OK

fbsd6.2# uname -v
FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007 [EMAIL 
PROTECTED]:/usr/obj/usr/src/sys/SMP

fbsd6.2# dig @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0

; <<>> DiG 9.3.3 <<>> @192.36.144.107 se dnskey +dnssec +bufsize=4500 +retry=0
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7745
;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 10, ADDITIONAL: 24

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;se.IN  DNSKEY
[...]
;; Query time: 243 msec
;; SERVER: 192.36.144.107#53(192.36.144.107)
;; WHEN: Thu May 17 11:31:39 2007
;; MSG SIZE  rcvd: 4086




## FreeBSD 6.2 + pf -> dig timeout

fbsd6.2# uname -v
FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007 [EMAIL 
PROTECTED]:/usr/obj/usr/src/sys/SMP 

fbsd6.2# pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
scrub in all fragment reassemble
block drop in log all
pass in on bge0 inet proto tcp from xxx.xxx.xxx.81 to xxx.xxx.xxx.87 port = ssh 
keep state
pass out on bge0 proto tcp all keep state
pass out on bge0 proto udp all keep state
pass out on bge0 proto icmp all keep state

fbsd6.2# tcpdump

Re: udp fragmentation with pf/ipf

Re: udp fragmentation with pf/ipf

Re: udp fragmentation with pf/ipf

Re: udp fragmentation with pf/ipf

udp fragmentation with pf/ipf

5 matches

Site Navigation

Mail list logo

Footer information