Hi all I have this at the beginning of pf.conf:
match all scrub (reassemble tcp no-df ) match out all scrub (random-id) Behind that FW is a (OpenIndiana) DNS server that fragments those of its UDP replies that are too large for the local MTU (1500). (Log below is from a DNSKEY query, the failure of which results in DNSSEC validation failing.) The server also sets the DF bit on the fragmented packets ... The external IP dns1-external.domain.tld is natted on the firewall to dns1-internal.domain.tld. The fragmented replies reach the internal firewall interface, but never go out again. There is a log entry for both fragments of the reply packets (even though the rule is set to not log), and no further notice. I thought that with the no-df scrub option this should no longer happen ... I must be missing something, but what? I've bumped my head into this too long now, maybe somebody spots what I can't. (FWIW: The same query over IPv6 (no nat - the server is dual-stack) works, but then the requesting client has issues with reassembling the packets :-[) tcpdump on internal interface: 13:23:09.374991 72.13.58.105.44267 > dns1-internal.domain.tld.domain: [udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO (36) (ttl 46, id 38692, len 64) 13:23:09.376370 dns1-internal.domain.tld.domain > 72.13.58.105.44267: 47368*- q: DNSKEY? domain.tld. 5/0/1 domain.tld. DNSKEY[|domain] (frag 7478:1480@0+) (DF) (ttl 255, len 1500) 13:23:09.376377 dns1-internal.domain.tld > 72.13.58.105: (frag 7478:110@1480) (DF) (ttl 255, len 130) 13:23:14.380440 72.13.58.105.44267 > dns1-internal.domain.tld.domain: [udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO (36) (ttl 46, id 53971, len 64) ... tcpdump on pflog0 (the matching rule is set to not log): Dec 04 13:23:09.376397 rule def/(fragment) [uid 0, pid 0] pass in on vlan210: [uid 4294967295, pid 100000] dns1-internal.domain.tld.domain > 72.13.58.105.44267: 47368*- q: DNSKEY? domain.tld. 5/0/1 domain.tld.[|domain] (frag 7478:1480@0+) (DF) (ttl 255, len 1500) Dec 04 13:23:09.376413 rule def/(fragment) [uid 0, pid 0] pass in on vlan210: [uid 4294967295, pid 100000] dns1-internal.domain.tld > 72.13.58.105: (frag 7478:110@1480) (DF) (ttl 255, len 130) Dec 04 13:23:14.381860 rule def/(fragment) [uid 0, pid 0] pass in on vlan210: [uid 4294967295, pid 100000] dns1-internal.domain.tld.domain > 72.13.58.105.44267: 47368*- q: DNSKEY? domain.tld. 5/0/1 domain.tld.[|domain] (frag 7491:1480@0+) (DF) (ttl 255, len 1500) ... tcpdump on external interface: 13:23:09.374546 72.13.58.105.44267 > dns1-external.domain.tld.domain: [udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO (36) (ttl 46, id 38692, len 64) 13:23:14.380013 72.13.58.105.44267 > dns1-external.domain.tld.domain: [udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO (36) (ttl 46, id 53971, len 64) ... Thx /markus
