Date: Wed, 28 Jan 2015 21:08:27 +0300 From: Lev Serebryakov <lev@FreeBSD.org> To: Freddie Cash <fjwcash@gmail.com> Cc: freebsd-net <freebsd-net@freebsd.org>, Matthew Seaman <m.seaman@infracaninophile.co.uk> Subject: Re: Problems with IP fragments Message-ID: <54C9259B.4030508@FreeBSD.org> In-Reply-To: <CAOjFWZ4KVyYe65ggiHxy3SSw7MPMgx-0kD5ccfXOM%2BftwncP1A@mail.gmail.com> References: <54C918D2.7090805@FreeBSD.org> <54C91E80.7020407@infracaninophile.co.uk> <54C92222.6000201@FreeBSD.org> <CAOjFWZ4KVyYe65ggiHxy3SSw7MPMgx-0kD5ccfXOM%2BftwncP1A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 28.01.2015 21:04, Freddie Cash wrote: >> Looks like "IP Fragments Filtered", but I don't understand — why >> and where?! >> >> I'm using ipfw on both hosts, but I don't have any special rules >> about IP fragments at all! And as these systems are in >> completely different networks, with different uplinks and FreeBSD >> versions! >> > > IPFW doesn't deal with IP fragment reassembly by default. Oh, I see. And as second fragment is not "UDP" (it doesn't have UDP header!), it doesn't pass through stateful firewall... I see now. Thank you. > You can add something like the following to the start of the IPFW > ruleset to work around it (one for each NIC): > > $IPFW add reass ip from any to any in recv $NIC0 $IPFW add reass > ip from any to any in recv $NIC1 ... > - -- // Lev Serebryakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJUySWbXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EeP/WUP/RJUv19sCqjt3/a/TNH/b6vs 8IcjQA3rD4i1NgUWn1w0Olro4SlzkbqDFzv/ShvNA5TSH6NbhJpaBkO9dno8nwDB 8K1GuTqYnDqAIexHw+br/dkcTLrah4h80tiucn0fSs12qOFaN5zJGchLDpxeEEg5 Okncf/0Ef20ooaUfRXwcD+C0gmaYkiWZ2+VcmbqsZvT3gvdAiEXpPJjqp3agUr/4 aTGriLZwo6OHTZdW7FQuKIV+4KO2piga+pF1lZKb78VOwgEYhw3yISuFzddIdaUd T+Uj/qDjYgjqyxt+cSXIpnsY4jKQ6fR3EOoERgv5VXtRdunHC/6i9vygp6cga3rj EZNAFlc+6ecmX9yPCdV5ScCvjh8lYZKuQivYNMauwI8o+Jud3dHJTCtl3zaVl18C b2Y7+6gNY/oM78H1b63R79DVf+ohSmlLHW+hSqXfYcrqmT+ocCfOK13ybEoV93N1 nTMEDom83lvMhbDm9HHSBYbMyDKKPf6bX4VX2aZbjL+3u5VBclgKHMIS2U5VUBm/ h7fWIPys/XVs+eHNACkye0qh/7bHQ0GarMhJ27nHA+qrkbnmzqT1Ush7bQXyrgVJ MfzU/JI/1u5Dw558innRMLP+3FnjjiITth/ZQCVzNXndVai4vpVXfzNdCRhNGQgV kIJ0H5+AoXwiL5qLYR1x =MY36 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54C9259B.4030508>