From owner-freebsd-net@FreeBSD.ORG Sat Jan 31 06:11:19 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AE64F208 for ; Sat, 31 Jan 2015 06:11:19 +0000 (UTC) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0082.outbound.protection.outlook.com [207.46.100.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 65C59E9 for ; Sat, 31 Jan 2015 06:11:18 +0000 (UTC) Received: from BLUPR0801MB674.namprd08.prod.outlook.com (10.141.255.11) by BLUPR0801MB674.namprd08.prod.outlook.com (10.141.255.11) with Microsoft SMTP Server (TLS) id 15.1.75.20; Sat, 31 Jan 2015 06:11:11 +0000 Received: from BLUPR0801MB674.namprd08.prod.outlook.com ([10.141.255.11]) by BLUPR0801MB674.namprd08.prod.outlook.com ([10.141.255.11]) with mapi id 15.01.0075.002; Sat, 31 Jan 2015 06:11:11 +0000 From: David DeSimone To: "freebsd-net@freebsd.org" Subject: RE: Problems with DNSSEC -- answer in fragmented UDP doesn't work Thread-Topic: Problems with DNSSEC -- answer in fragmented UDP doesn't work Thread-Index: AQHQOx3aTKtmAUOfCkCczkjPsBAgBJzZa4gAgABW7YA= Date: Sat, 31 Jan 2015 06:11:11 +0000 Message-ID: References: <54C918D2.7090805@FreeBSD.org> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [173.74.95.3] authentication-results: freebsd.org; dkim=none (message not signed) header.d=none; x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BLUPR0801MB674; x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:BLUPR0801MB674; x-forefront-prvs: 0473A03F3F x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(51704005)(24454002)(46102003)(230673001)(99286002)(92566002)(74316001)(40100003)(19580395003)(77156002)(450100001)(106116001)(50986999)(87936001)(122556002)(76176999)(62966003)(54356999)(2656002)(107886001)(2351001)(2950100001)(2900100001)(102836002)(33656002)(66066001)(19580405001)(110136001)(86362001)(76576001)(77096005); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR0801MB674; H:BLUPR0801MB674.namprd08.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: verio.net X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jan 2015 06:11:11.2560 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 281c3918-264a-4db4-ab20-2dafa1dca324 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR0801MB674 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jan 2015 06:11:19 -0000 Kevin Oberman wrote: > > For ipfw you need something like "allow ip from any to me frag". If you > want to restrict this to DNS, restrict it to dst-port 53. Unfortunately, UDP fragments only contain the port number in the very first= fragment. So you will not be able to forward the later fragments based on= port number. You can only see the Src/Dest IP and Protocol number in the = fragment. -- David DeSimone =3D=3D fox@verio.net =3D=3D Network Admin "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has bee= n sent, and may contain information that is confidential or legally protect= ed. If you are not the intended recipient or have received this message in = error, you are not authorized to copy, distribute, or otherwise use this me= ssage or its attachments. Please notify the sender immediately by return e-= mail and permanently delete this message and any attachments. Verio Inc. ma= kes no warranty that this email is error or virus free. Thank you.