FreeBSD Security Advisory FreeBSD-SA-14:08.tcp

[Garrett Wollman]

<<On Sat, 3 May 2014 13:53:44 +1000 (EST), Ian Smith <smithi at nimnet.asn.au> said:

> I've always allowed frags, as per the example rulesets in rc.firewall.  
> I only recall seeing them on DNS responses from zen.spamhaus.org, where 
> I see plenty of these after a resetlog before the logging limit kicks 
> in.  I doubt I'd be getting rid of ~90% of incoming spam without; eg:

Blocking inbound fragments will definitely screw you when you try to
use DNSsec.

-GAWollman