It turned out my problem came from having the rule:
pass in quick on ex0 to vlan105:w.x.y.z from 10.1.100.124/32 to any \
keep state keep frags
The 10.1.100.124 is the local linux system. As soon as I snuck in a host
route to forward out to the w.x.y.z interface and dropped this rule,
everything worked right.
This was on:
morfy# ipf -V
ipf: IP Filter: v4.1.3 (396)
Kernel: IP Filter: v4.1.3
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x10a
morfy#
(NetBSD's 2.0)
Thanks,
peter
On 2/19/05 12:00 PM, "Darren Reed" <[EMAIL PROTECTED]> wrote:
> In some mail from Peter Eisch, sie said:
>>
>> Can anyone help me with understanding what is happening? Is there a way I
>> can tell my local firewall to reassemble the packets into one frame before
>> forwarding to my local linux (RHEL w/2.6 kernel) system?
>
> IPFilter doesn't do reassembling of fragmented packets.
>
> If you have linux systems on either side, you may want to try
> including a rule to pass "body" fragments - e.g.
>
> pass in quick all with frag-body,not short
>
> Darren
>
