We use the following for udp fragments specifically this issue actually. # udp frags (large dnssec responses) add 02030 allow udp from any to me frag
On 1/28/15, 1:08 PM, "Lev Serebryakov" <l...@freebsd.org> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >On 28.01.2015 21:04, Freddie Cash wrote: > >>> Looks like "IP Fragments Filtered", but I don't understand — why >>> and where?! >>> >>> I'm using ipfw on both hosts, but I don't have any special rules >>> about IP fragments at all! And as these systems are in >>> completely different networks, with different uplinks and FreeBSD >>> versions! >>> >> >> IPFW doesn't deal with IP fragment reassembly by default. > Oh, I see. And as second fragment is not "UDP" (it doesn't have UDP >header!), it doesn't pass through stateful firewall... I see now. >Thank you. > >> You can add something like the following to the start of the IPFW >> ruleset to work around it (one for each NIC): >> >> $IPFW add reass ip from any to any in recv $NIC0 $IPFW add reass >> ip from any to any in recv $NIC1 ... >> > > >- -- >// Lev Serebryakov >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v2.0.22 (MingW32) > >iQJ8BAEBCgBmBQJUySWbXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w >ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF >QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EeP/WUP/RJUv19sCqjt3/a/TNH/b6vs >8IcjQA3rD4i1NgUWn1w0Olro4SlzkbqDFzv/ShvNA5TSH6NbhJpaBkO9dno8nwDB >8K1GuTqYnDqAIexHw+br/dkcTLrah4h80tiucn0fSs12qOFaN5zJGchLDpxeEEg5 >Okncf/0Ef20ooaUfRXwcD+C0gmaYkiWZ2+VcmbqsZvT3gvdAiEXpPJjqp3agUr/4 >aTGriLZwo6OHTZdW7FQuKIV+4KO2piga+pF1lZKb78VOwgEYhw3yISuFzddIdaUd >T+Uj/qDjYgjqyxt+cSXIpnsY4jKQ6fR3EOoERgv5VXtRdunHC/6i9vygp6cga3rj >EZNAFlc+6ecmX9yPCdV5ScCvjh8lYZKuQivYNMauwI8o+Jud3dHJTCtl3zaVl18C >b2Y7+6gNY/oM78H1b63R79DVf+ohSmlLHW+hSqXfYcrqmT+ocCfOK13ybEoV93N1 >nTMEDom83lvMhbDm9HHSBYbMyDKKPf6bX4VX2aZbjL+3u5VBclgKHMIS2U5VUBm/ >h7fWIPys/XVs+eHNACkye0qh/7bHQ0GarMhJ27nHA+qrkbnmzqT1Ush7bQXyrgVJ >MfzU/JI/1u5Dw558innRMLP+3FnjjiITth/ZQCVzNXndVai4vpVXfzNdCRhNGQgV >kIJ0H5+AoXwiL5qLYR1x >=MY36 >-----END PGP SIGNATURE----- >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
