Date: Wed, 28 Jan 2015 18:14:00 +0000 From: "Wolff, Nicholas (Nick)" <nwolff@oar.net> To: "lev@FreeBSD.org" <lev@FreeBSD.org>, Freddie Cash <fjwcash@gmail.com> Cc: freebsd-net <freebsd-net@freebsd.org>, Matthew Seaman <m.seaman@infracaninophile.co.uk> Subject: Re: Problems with IP fragments Message-ID: <D0EE90E4.1553E%wolff.261@osu.edu> In-Reply-To: <54C9259B.4030508@FreeBSD.org> References: <54C918D2.7090805@FreeBSD.org> <54C91E80.7020407@infracaninophile.co.uk> <54C92222.6000201@FreeBSD.org> <CAOjFWZ4KVyYe65ggiHxy3SSw7MPMgx-0kD5ccfXOM%2BftwncP1A@mail.gmail.com> <54C9259B.4030508@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
We use the following for udp fragments specifically this issue actually. # udp frags (large dnssec responses) add 02030 allow udp from any to me frag On 1/28/15, 1:08 PM, "Lev Serebryakov" <lev@FreeBSD.org> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >On 28.01.2015 21:04, Freddie Cash wrote: > >>> Looks like "IP Fragments Filtered", but I don't understand — why >>> and where?! >>> >>> I'm using ipfw on both hosts, but I don't have any special rules >>> about IP fragments at all! And as these systems are in >>> completely different networks, with different uplinks and FreeBSD >>> versions! >>> >> >> IPFW doesn't deal with IP fragment reassembly by default. > Oh, I see. And as second fragment is not "UDP" (it doesn't have UDP >header!), it doesn't pass through stateful firewall... I see now. >Thank you. > >> You can add something like the following to the start of the IPFW >> ruleset to work around it (one for each NIC): >> >> $IPFW add reass ip from any to any in recv $NIC0 $IPFW add reass >> ip from any to any in recv $NIC1 ... >> > > >- -- >// Lev Serebryakov >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v2.0.22 (MingW32) > >iQJ8BAEBCgBmBQJUySWbXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w >ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF >QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EeP/WUP/RJUv19sCqjt3/a/TNH/b6vs >8IcjQA3rD4i1NgUWn1w0Olro4SlzkbqDFzv/ShvNA5TSH6NbhJpaBkO9dno8nwDB >8K1GuTqYnDqAIexHw+br/dkcTLrah4h80tiucn0fSs12qOFaN5zJGchLDpxeEEg5 >Okncf/0Ef20ooaUfRXwcD+C0gmaYkiWZ2+VcmbqsZvT3gvdAiEXpPJjqp3agUr/4 >aTGriLZwo6OHTZdW7FQuKIV+4KO2piga+pF1lZKb78VOwgEYhw3yISuFzddIdaUd >T+Uj/qDjYgjqyxt+cSXIpnsY4jKQ6fR3EOoERgv5VXtRdunHC/6i9vygp6cga3rj >EZNAFlc+6ecmX9yPCdV5ScCvjh8lYZKuQivYNMauwI8o+Jud3dHJTCtl3zaVl18C >b2Y7+6gNY/oM78H1b63R79DVf+ohSmlLHW+hSqXfYcrqmT+ocCfOK13ybEoV93N1 >nTMEDom83lvMhbDm9HHSBYbMyDKKPf6bX4VX2aZbjL+3u5VBclgKHMIS2U5VUBm/ >h7fWIPys/XVs+eHNACkye0qh/7bHQ0GarMhJ27nHA+qrkbnmzqT1Ush7bQXyrgVJ >MfzU/JI/1u5Dw558innRMLP+3FnjjiITth/ZQCVzNXndVai4vpVXfzNdCRhNGQgV >kIJ0H5+AoXwiL5qLYR1x >=MY36 >-----END PGP SIGNATURE----- >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D0EE90E4.1553E%wolff.261>