On Wed, 28-Jan-2015 at 10:04:57 -0800, Freddie Cash wrote:
> On Wed, Jan 28, 2015 at 9:53 AM, Lev Serebryakov <l...@freebsd.org> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > On 28.01.2015 20:38, Matthew Seaman wrote:
> >
> > > What do you get if you run the reply size test at DNS-OARC ?
> > >
> > > https://www.dns-oarc.net/oarc/services/replysizetest
> > 0 lines (empty answer) at CURRENT, only "rst.x1013.rs.dns-oarc.net."
> > on 9.3.
> >
> > Looks like "IP Fragments Filtered", but I don't understand — why and
> > where?!
> >
> > I'm using ipfw on both hosts, but I don't have any special rules
> > about IP fragments at all! And as these systems are in completely
> > different networks, with different uplinks and FreeBSD versions!
> >
>
> IPFW doesn't deal with IP fragment reassembly by default.
>
> You can add something like the following to the start of the IPFW ruleset
> to work around it (one for each NIC):
>
> $IPFW add reass ip from any to any in recv $NIC0
> $IPFW add reass ip from any to any in recv $NIC1
The ipfw man page says:
Usually a simple rule like:
# reassemble incoming fragments
ipfw add reass all from any to any in
is all you need at the beginning of your ruleset.
However, I could never make this work. It eats all fragments but
the resulting final packet never makes it. I am back to
ipfw -q add 1 pass udp from any to $myip frag in recv $ifc
as I need it only for UDP. Frag reassembly in pf works well
on the other hand...
-Andre
> ...
>
> --
> Freddie Cash
> fjwc...@gmail.com
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
--
A fool with a tool is still a fool.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
