Discussion:
pf dropping fragmented UDP despite of scrub no-df
Add Reply
Markus Wernig
2017-12-04 13:00:29 UTC
Reply
Permalink
Raw Message
Hi all

I have this at the beginning of pf.conf:

match all scrub (reassemble tcp no-df )
match out all scrub (random-id)

Behind that FW is a (OpenIndiana) DNS server that fragments those of its
UDP replies that are too large for the local MTU (1500). (Log below is
from a DNSKEY query, the failure of which results in DNSSEC validation
failing.)
The server also sets the DF bit on the fragmented packets ...
The external IP dns1-external.domain.tld is natted on the firewall to
dns1-internal.domain.tld.

The fragmented replies reach the internal firewall interface, but never
go out again. There is a log entry for both fragments of the reply
packets (even though the rule is set to not log), and no further notice.

I thought that with the no-df scrub option this should no longer happen
... I must be missing something, but what? I've bumped my head into this
too long now, maybe somebody spots what I can't.

(FWIW: The same query over IPv6 (no nat - the server is dual-stack)
works, but then the requesting client has issues with reassembling the
packets :-[)


tcpdump on internal interface:

13:23:09.374991 72.13.58.105.44267 > dns1-internal.domain.tld.domain:
[udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO
(36) (ttl 46, id 38692, len 64)
13:23:09.376370 dns1-internal.domain.tld.domain > 72.13.58.105.44267:
47368*- q: DNSKEY? domain.tld. 5/0/1 domain.tld. DNSKEY[|domain] (frag
7478:***@0+) (DF) (ttl 255, len 1500)
13:23:09.376377 dns1-internal.domain.tld > 72.13.58.105: (frag
7478:***@1480) (DF) (ttl 255, len 130)

13:23:14.380440 72.13.58.105.44267 > dns1-internal.domain.tld.domain:
[udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO
(36) (ttl 46, id 53971, len 64)
...


tcpdump on pflog0 (the matching rule is set to not log):

Dec 04 13:23:09.376397 rule def/(fragment) [uid 0, pid 0] pass in on
vlan210: [uid 4294967295, pid 100000] dns1-internal.domain.tld.domain >
72.13.58.105.44267: 47368*- q: DNSKEY? domain.tld. 5/0/1
domain.tld.[|domain] (frag 7478:***@0+) (DF) (ttl 255, len 1500)
Dec 04 13:23:09.376413 rule def/(fragment) [uid 0, pid 0] pass in on
vlan210: [uid 4294967295, pid 100000] dns1-internal.domain.tld >
72.13.58.105: (frag 7478:***@1480) (DF) (ttl 255, len 130)

Dec 04 13:23:14.381860 rule def/(fragment) [uid 0, pid 0] pass in on
vlan210: [uid 4294967295, pid 100000] dns1-internal.domain.tld.domain >
72.13.58.105.44267: 47368*- q: DNSKEY? domain.tld. 5/0/1
domain.tld.[|domain] (frag 7491:***@0+) (DF) (ttl 255, len 1500)
...


tcpdump on external interface:

13:23:09.374546 72.13.58.105.44267 > dns1-external.domain.tld.domain:
[udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO
(36) (ttl 46, id 38692, len 64)

13:23:14.380013 72.13.58.105.44267 > dns1-external.domain.tld.domain:
[udp sum ok] 47368 [1au] DNSKEY? domain.tld. ar: . OPT UDPsize=4096 DO
(36) (ttl 46, id 53971, len 64)
...

Thx /markus

Loading...