> On 20 February 2021, at 04:13, Kristof Provost <k...@freebsd.org> wrote: > > If you don’t have scrub fragment reassemble set then you have to include > something like pass log inet6 proto ipv6-frag all to pass fragmented packets > (assuming you block by default). > > You really, really want scrub fragment reassemble because otherwise your > firewall can be trivially bypassed, but you need one of the two for > fragmented packets to work. >
I went with reassembly as it was easy to configure. However, is there some place where the trivial bypassing is addressed in detail? I would like to understand that. -- Doug _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"