Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 May 2014 01:25:40 -0400
From:      Garrett Wollman <wollman@bimajority.org>
To:        Ian Smith <smithi@nimnet.asn.au>
Cc:        freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp
Message-ID:  <21348.32212.390793.959943@hergotha.csail.mit.edu>
In-Reply-To: <20140503133437.R11699@sola.nimnet.asn.au>
References:  <3867.1399059743@server1.tristatelogic.com> <5363FA70.9040100@delphij.net> <20140503133437.R11699@sola.nimnet.asn.au>

next in thread | previous in thread | raw e-mail | index | archive | help
<<On Sat, 3 May 2014 13:53:44 +1000 (EST), Ian Smith <smithi@nimnet.asn.au> said:

> I've always allowed frags, as per the example rulesets in rc.firewall.  
> I only recall seeing them on DNS responses from zen.spamhaus.org, where 
> I see plenty of these after a resetlog before the logging limit kicks 
> in.  I doubt I'd be getting rid of ~90% of incoming spam without; eg:

Blocking inbound fragments will definitely screw you when you try to
use DNSsec.

-GAWollman




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?21348.32212.390793.959943>