You've stumbled on a missing feature for v6 support in pf. Nothing is available at present to solve this correctly.
You could do something that defies reason like 'block in inet' instead of 'block in' but .. the bottom line is, 'pf' only has support for reassembling IPv4 fragments, not IPv6. And yes, this renderes a stateful filtering firewall mostly moot until this is fixed for IPv6, to be clear. Theory suggests that PMTUD should handle things such that fragments do not appear, but encapsulation and tunneling via IPSec tend to generate them anyway.. Sorry, -- Todd Fries .. [EMAIL PROTECTED] _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Charlie Allom on 20081205 18:28.46, we have: | After wondering why my email was seeing MTU-like issues once I enabled | an AAAA record, I see that pf is dropping IPv6 packets that are | fragmented. | | pf.conf(5): | 1546: Currently, only IPv4 fragments are supported and IPv6 fragments are | blocked unconditionally. | | in pf.c, under #ifdef INET6: | 4402: do { | switch (pd2.proto) { | case IPPROTO_FRAGMENT: | /* | * ICMPv6 error messages for | * non-first fragments | */ | REASON_SET(reason, PFRES_FRAG); | return (PF_DROP); | | I think that's the part we just don't bother parsing them. Or one of them. I've had enable 'pass in inet6'. | | Does anyone have any patches to enable this? | | C. | | -- | 020 7729 4797 | http://blog.playlouder.com/
