From owner-freebsd-current@FreeBSD.ORG Thu Jul 22 22:32:31 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 760F816A4CE for ; Thu, 22 Jul 2004 22:32:31 +0000 (GMT) Received: from main.gmane.org (main.gmane.org [80.91.224.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id D48F643D49 for ; Thu, 22 Jul 2004 22:32:30 +0000 (GMT) (envelope-from freebsd-current@m.gmane.org) Received: from list by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1Bnm73-0004eg-00 for ; Fri, 23 Jul 2004 00:32:29 +0200 Received: from mulder.f5.com ([205.229.151.150]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 23 Jul 2004 00:32:29 +0200 Received: from atkin901 by mulder.f5.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 23 Jul 2004 00:32:29 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-current@freebsd.org From: othermark Date: Thu, 22 Jul 2004 15:32:25 -0700 Lines: 30 Message-ID: References: <200407222359.23147.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: mulder.f5.com User-Agent: KNode/0.7.7 Sender: news Subject: Re: fixing out of order first fragment processing? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Jul 2004 22:32:31 -0000 Max Laier wrote: > On Thursday 22 July 2004 23:34, othermark wrote: > Activation of pf with a > scrub in on fragment reassemble > rule works as workaround. Thanks for this suggestion, I have a 'scrub in all fragments reassemble' that I just added and loaded to my /etc/pf.conf, which does not seem to solve the problem. Do I have to specify a scrub for each interface in this case (maybe a better question for the pf list)? > In every case you have to decide if you want to > invest the required memory to store fragments, which might make you > easy/easier prey for DoS-attacks. Usually, for an average gateway the cost > is worth the gain (= increased security). Most of the current systems today are able to handle both types of sequences. It really is a small processing hit, FreeBSD already does some bufferring with proper safeguards/maximums for various traffic patterns. I would suspect some NFS/udp interoperability problems with the way it handles fragments right now. -- othermark atkin901 at nospam dot yahoo dot com (!wired)?(coffee++):(wired);