Hi, can I get an explanation/argument as to why, and what implications it has when I don't enable it?
Cheers, -- László Károlyi http://linkedin.com/in/karolyi On 2019-08-31 23:10, Kristof Provost wrote: > On 2019-08-31 22:42:59 (+0200), László Károlyi <las...@karolyi.hu> wrote: >> Hey, >> >> I've installed unbound into a jail to use it as a nameserver. After >> setting up PF to allow UDP fragments to the jail's IPv6 address, I still >> saw PF dropping the UDP fragment packages arriving to and from my jail. >> According to the pf.conf readme, the IP header of the fragmented packets >> still contain the protocol type (TCP/UDP), but not the port number. I >> hope it's not a documentation bug. >> > You really, really want to have pf reassemble packets prior to > filtering. > Use 'scrub all fragment reassemble'. > > Regards, > Kristof
signature.asc
Description: OpenPGP digital signature
