Problems with DNSSEC -- answer in fragmented UDP doesn't work
Kevin Oberman
rkoberman at gmail.com
Sun Feb 1 00:18:59 UTC 2015
On Fri, Jan 30, 2015 at 10:11 PM, David DeSimone <ddesimone at verio.net>
wrote:
> Kevin Oberman wrote:
> >
> > For ipfw you need something like "allow ip from any to me frag". If you
> > want to restrict this to DNS, restrict it to dst-port 53.
>
> Unfortunately, UDP fragments only contain the port number in the very
> first fragment. So you will not be able to forward the later fragments
> based on port number. You can only see the Src/Dest IP and Protocol number
> in the fragment.
>
> --
> David DeSimone == fox at verio.net == Network Admin
>
You are, of course, correct. Specifying a destination port is meaningless.
If you accept any fragments, you accept all of them.
--
Kevin Oberman, Network Engineer, Retired
E-mail: rkoberman at gmail.com
More information about the freebsd-net
mailing list