> On 20 February 2021, at 04:13, Kristof Provost <k...@freebsd.org> wrote:
> 
> If you don’t have scrub fragment reassemble set then you have to include 
> something like pass log inet6 proto ipv6-frag all to pass fragmented packets 
> (assuming you block by default).
> 
> You really, really want scrub fragment reassemble because otherwise your 
> firewall can be trivially bypassed, but you need one of the two for 
> fragmented packets to work.
> 
I went with reassembly as it was easy to configure.  However, is there some 
place where the trivial bypassing is addressed in detail?  I would like to 
understand that.

-- Doug

_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to