[Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Mar 11 16:22:32 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867
--- Comment #2 from Helge Oldach <freebsd at oldach.net> ---
(In reply to Mark Felder from comment #1)
Tested and works.
However the reass should come *before* the check-state as fragments (except the
first) don't include protocol and port numbers and thus cannot match
check-state anyway. We need to reassemble first, then check-state will do the
right thing. (It doesn't harm to implement as proposed, but we may save a few
cycles if we reass first.)
Furthermore, along the same line we should not only reassemble UDP but any IP
packet (including IPv6), which is also suggested by ipfw(8) manpage:
Usually a simple rule like:
# reassemble incoming fragments
ipfw add reass all from any to any in
is all you need at the beginning of your ruleset.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ipfw
mailing list