https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276856
Bug ID: 276856
Summary: pf no longer re-assembles fragments by default
Product: Base System
Version: 14.0-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
At some point pf on FreeBSD switched the default behavior for this option so I
had since removed it from the config of several of firewalls ...
fragment reassemble
Using scrub rules, fragments can be reassembled by normalization.
In this case, fragments are buffered until they form a complete
packet, and only the completed packet is passed on to the filter.
The advantage is that filter rules have to deal only with complete
packets, and can ignore fragments. The drawback of caching
fragments is the additional memory cost. This is the default
behaviour unless no fragment reassemble is specified.
no fragment reassemble
Do not reassemble fragments.
However, while building a firewall using 14-RELEASE, I realized that fragmented
IPsec ESP packets were not being re-assembled for processing by pf. After
adding this line back into my pf.conf file and reloading, the traffic started
flowing as expected ...
scrub fragment reassemble
My guess is that either the default behavior was reverted unintentionally or
the the man page was never modified to match the new-new (old) behavior. Either
way, it's very misleading.
--
You are receiving this mail because:
You are the assignee for the bug.
