keep-state rules inadequately handles big UDP packets or
fragmented IP packets?
Sergey Matveychuk
sem at FreeBSD.org
Sat Mar 14 07:38:19 PDT 2009
Dmitriy Demidov wrote:
> Unbound starts working only then I put in ipfw this set of rules to handle all UDP packets outside from keep-state rules:
> add allow udp from any to any
What if you add:
add allow ip from any to any frag
instead the line above?
> add check-state
> add deny icmp from any to any frag
I'm not sure the line above is correct.
> add allow icmp from any to me icmptypes 0,3,11
> add allow icmp from me to any out keep-state
> add allow tcp from me to any out keep-state
> add allow udp from me to any out keep-state
> add deny ip from any to any
>
> It looks like dynamicaly created rules some how inadequately handles big UDP packets (DNSSEC answers are big).
> Is there any who can help to investigate this issue (looks like I can't do it myself)?
> Can it be ipfw related issue?
--
Dixi.
Sem.
More information about the freebsd-ipfw
mailing list