PF Expected behaviour of PF when scrub is disabled, fragmented packets

Hi guys.

So what I was expecting is if scrub is disabled, that fragmented packets are passed through by the firewall as fragmented packets, so not modified.

However I ran some tests using a 3rd party tester, which only passed when scrub was enabled, which is interesting as scrub reassembles the packets. This suggests to me that perhaps the test is flawed, as it should really be testing if the packets remained fragmented, but it accepted the packets when they were not fragmented anymore.

The test I used is here. 2nd test on the page.

http://icmpcheckv6.popcount.org/

The command line test so not needing a browser is using this command curl -v -s http://icmpcheck.popcount.org/frag -o /dev/null

With scrub enabled both tests pass.
With scrub disabled the web test fails, the command test also fails but with a much longer failure, and a error "recv failed: permission denied".

If scrub is disabled are specific rules needed to allow through fragmented packets, and would fragmented packets been returned in response to an outbound request be traversed over NAT?

If specific rules are enabled, how would fragmented packets be identified in a rule?

Thanks
 
It will depend on your rules, so it's impossible to say without knowing those. Basically, remember that in IPv6 it's impossible to tell (for all but the first fragment) what protocol a packet is. It might be TCP, it might be ICMPv6, it might be UDP. The firewall can't tell. As such it'll likely hit your pass all or block all rule, unless you've got a pass rule for IPv6 fragments (pass port ipv6-frag all). That comes with its own issues though. You almost certainly want 'scrub fragment reassemble'.

As for 172648, the checksum issue with 'reassemble tcp' has not been reproduced, so I wouldn't expect you to be running into that. If you are, please add details of your setup to the bug.
 
sorry for the very late reply

in my case I dont think the rules are relevant to the problem noticed, there is nothing specific configured that would only drop fragments. but lets simplify it

assume there is just one rule

allow * for all ipv6.

scrub flags "fragment reassemble" test passes, scrub disabled test fails even with allow * rule.

theories?

I have never used reassemble tcp.

Thanks for revealing "pass port ipv6-frag all " I will test with that (is this one even documented?), as fragments do appear to be blocked when is no scrub rule present.
 
Back
Top