Date: Thu, 22 Jul 2004 15:32:25 -0700 From: othermark <atkin901@yahoo.com> To: freebsd-current@freebsd.org Subject: Re: fixing out of order first fragment processing? Message-ID: <cdpf9q$o0t$1@sea.gmane.org> References: <cdpbts$om0$1@sea.gmane.org> <200407222359.23147.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier wrote: > On Thursday 22 July 2004 23:34, othermark wrote: > Activation of pf with a > scrub in on <interface> fragment reassemble > rule works as workaround. Thanks for this suggestion, I have a 'scrub in all fragments reassemble' that I just added and loaded to my /etc/pf.conf, which does not seem to solve the problem. Do I have to specify a scrub for each interface in this case (maybe a better question for the pf list)? > In every case you have to decide if you want to > invest the required memory to store fragments, which might make you > easy/easier prey for DoS-attacks. Usually, for an average gateway the cost > is worth the gain (= increased security). Most of the current systems today are able to handle both types of sequences. It really is a small processing hit, FreeBSD already does some bufferring with proper safeguards/maximums for various traffic patterns. I would suspect some NFS/udp interoperability problems with the way it handles fragments right now. -- othermark atkin901 at nospam dot yahoo dot com (!wired)?(coffee++):(wired);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cdpf9q$o0t$1>