The attached message was sent to NANOG a while back, and I wanted to bring people's attention to the fact that this is a significant deficit for pf.
Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally. -- pf.conf(5) IPv6 fragments need love too! No, I don't have a patch. I'm fully allocated at the moment. -- Kill dash nine, and its no more CPU time, kill dash nine, and that process is mine. -><- <URL:http://www.subspacefield.org/~travis/> For a good time on my UBE blacklist, email [EMAIL PROTECTED]
--- Begin Message ---Henning Brauer <[EMAIL PROTECTED]> wrote: >> > IPv6 makes NAT obsolete because IPv6 firewalls can provide all >> > the useful features of IPv4 NAT without any of the downsides. >> ... >> >> IPv6 firewalls? Where? Good ones? > OpenBSD's pf has support for v6 for years now. Which works pretty well if you forget one tiny thing (from pf.conf(5)) | FRAGMENT HANDLING | [...] | Currently, only IPv4 fragments are supported and IPv6 fragments are | blocked unconditionally. which can bite you in the ass pretty hard if you don't expect it. Fragments are valid packets and crucial for many applications, so unconditional blocking (even with a "pass inet6 from any to any" policy) is bad. Other working solutions are - Linux + nf_conntrack (maybe in a few kernel versions, there was an OOPS in 2.6.20-rc5 with (tadaaa) fragment handling, fixed though) - Cisco ASA and FWSM - IIRC Juniper (Netscreen) firewalls and I guess some more. Regards, Bernhard
--- End Message ---
pgp9B4zv60cjG.pgp
Description: PGP signature
