udp fragmentation with pf/ipf
Mark Andrews
Mark_Andrews at isc.org
Fri May 18 00:49:51 UTC 2007
>
> This should be rejected as "keep frags" is meaningless here.
>
> pass out log quick on bge0 proto udp from xxx.xxx.xxx.113/32 to any port = 53
> keep state keep frags
>
> You need
>
> pass in quick from any to any with frag keep frag
The reason is that "ip" fragments not have next level headers.
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the freebsd-net
mailing list