From owner-freebsd-security@FreeBSD.ORG Sat May 3 14:54:07 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 45DF4E74 for ; Sat, 3 May 2014 14:54:07 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BA9A51480 for ; Sat, 3 May 2014 14:54:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s43Ers5H012104; Sun, 4 May 2014 00:53:54 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 4 May 2014 00:53:54 +1000 (EST) From: Ian Smith To: Garrett Wollman Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp In-Reply-To: <21348.32212.390793.959943@hergotha.csail.mit.edu> Message-ID: <20140504003835.J11699@sola.nimnet.asn.au> References: <3867.1399059743@server1.tristatelogic.com> <5363FA70.9040100@delphij.net> <20140503133437.R11699@sola.nimnet.asn.au> <21348.32212.390793.959943@hergotha.csail.mit.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 May 2014 14:54:07 -0000 On Sat, 3 May 2014 01:25:40 -0400, Garrett Wollman wrote: > < said: > > > I've always allowed frags, as per the example rulesets in rc.firewall. > > I only recall seeing them on DNS responses from zen.spamhaus.org, where > > I see plenty of these after a resetlog before the logging limit kicks > > in. I doubt I'd be getting rid of ~90% of incoming spam without; eg: > > Blocking inbound fragments will definitely screw you when you try to > use DNSsec. Thanks to you and Darren; more grist for mending the Handbook ipfw page, likely why some people have been perhaps ill-advisedly dropping frags. cheers, Ian