On 2019-08-31 22:42:59 (+0200), László Károlyi <[email protected]> wrote: > Hey, > > I've installed unbound into a jail to use it as a nameserver. After > setting up PF to allow UDP fragments to the jail's IPv6 address, I still > saw PF dropping the UDP fragment packages arriving to and from my jail. > According to the pf.conf readme, the IP header of the fragmented packets > still contain the protocol type (TCP/UDP), but not the port number. I > hope it's not a documentation bug. > You really, really want to have pf reassemble packets prior to filtering. Use 'scrub all fragment reassemble'.
Regards, Kristof _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "[email protected]"
