# Problem passing Kerberos (UDP port 88)



## muzinim (Mar 21, 2012)

I am having a bizarre problem with Kerberos (UDP) not passing through firewall rules which allow this.  Any 88/UDP connections with a length less than 1500 pass through the rule while connections with a length of 1500 don't match the rule and are denied.  If I allow all protocols to the respective host, Kerberos traffic passes through the rule regardless of length.  Additionally, we are not having problems with other UDP protocols such as DNS, LDAP, and NTP.  Is there a PF setting that needs to be changed to allow this type of traffic?

We are running FreeBSD 8.2 with PF on a system with several NIC's including 10Gb cards.  Though the MTU size on the 10Gb NIC's is set to 9000, it does not appear to be a hardware or operating system issue.

This is puzzling to say the least.


----------



## muzinim (Mar 21, 2012)

*TCP is preferred*

Though I still have interest in how / why PF is dropping the UDP/88 packets which have a length of 1500, going forward TCP is the preferred Kerberos communication method (http://support.microsoft.com/kb/244474).  Older clients can obviously be changed to force TCP eliminating this as a problem.


----------

