IPv6 Fragmentation
Doug Hardie
bc979 at lafn.org
Sat Feb 20 23:02:14 UTC 2021
> On 20 February 2021, at 04:13, Kristof Provost <kp at FreeBSD.org> wrote:
>
> If you don’t have scrub fragment reassemble set then you have to include something like pass log inet6 proto ipv6-frag all to pass fragmented packets (assuming you block by default).
>
> You really, really want scrub fragment reassemble because otherwise your firewall can be trivially bypassed, but you need one of the two for fragmented packets to work.
>
I went with reassembly as it was easy to configure. However, is there some place where the trivial bypassing is addressed in detail? I would like to understand that.
-- Doug
More information about the freebsd-net
mailing list