Date: Fri, 18 May 2007 09:50:58 +1000 From: Mark Andrews <Mark_Andrews@isc.org> Cc: freebsd-net@freebsd.org, Hugo Koji Kobayashi <koji@registro.br>, freebsd-stable@freebsd.org Subject: Re: udp fragmentation with pf/ipf Message-ID: <200705172350.l4HNowGe089722@drugs.dv.isc.org> In-Reply-To: Your message of "Fri, 18 May 2007 09:47:56 %2B1000."
next in thread | raw e-mail | index | archive | help
> > This should be rejected as "keep frags" is meaningless here. > > pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53 > keep state keep frags > > You need > > pass in quick from any to any with frag keep frag The reason is that "ip" fragments not have next level headers. > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705172350.l4HNowGe089722>