In ipf 3.4.20 and 3.4.35 (and thus probably all in between) on Solaris 7_x86, "keep frags" has no effect on either interface of a two-interface firewall for UDP protocol. Rules as far as relevant (elxl1 is the outer interface, elxl0 the inner one):
block in log quick on elxl1 all head 100 block out log quick on elxl1 all head 150 block in log quick on elxl0 all head 200 pass in quick proto udp from any to !FIREWALL keep state keep frags group 200 block out log quick on elxl0 all head 250 When an NFS connection over UDP is opened to an external (read-only) NFS server with rsize=8192, the answer of read operations is, of course, always fragmented when the packets exceed 1500 bytes. These fragments are not let through by the outer interface. If I open the outer interface specifically for them, they are rejected by the inner interface. Thus I have to use the following workaround: block in log quick on elxl1 all head 100 pass in quick proto udp from NFSSERVER to !FIREWALL with frag group 100 block out log quick on elxl1 all head 150 block in log quick on elxl0 all head 200 pass in quick proto udp from any to !FIREWALL keep state group 200 block out log quick on elxl0 all head 250 pass out quick proto udp from NFSSERVER to any with frag group 250 Is this a bug or a feature? BTW, the same behaviour occurs for ICMP ECHO (ping with large data size).
