fixing out of order first fragment processing?
othermark
atkin901 at yahoo.com
Thu Jul 22 15:32:31 PDT 2004
Max Laier wrote:
> On Thursday 22 July 2004 23:34, othermark wrote:
> Activation of pf with a
> scrub in on <interface> fragment reassemble
> rule works as workaround.
Thanks for this suggestion,
I have a 'scrub in all fragments reassemble' that I just added and loaded
to my /etc/pf.conf, which does not seem to solve the problem. Do I have to
specify a scrub for each interface in this case (maybe a better question
for the pf list)?
> In every case you have to decide if you want to
> invest the required memory to store fragments, which might make you
> easy/easier prey for DoS-attacks. Usually, for an average gateway the cost
> is worth the gain (= increased security).
Most of the current systems today are able to handle both types of
sequences. It really is a small processing hit, FreeBSD already does
some bufferring with proper safeguards/maximums for various
traffic patterns.
I would suspect some NFS/udp interoperability problems with the way it
handles fragments right now.
--
othermark
atkin901 at nospam dot yahoo dot com
(!wired)?(coffee++):(wired);
More information about the freebsd-current
mailing list