Problems with IP fragments (was: Problems with DNSSEC -- answer in fragmented UDP doesn't work)

[Andre Albsmeier]

On Wed, 28-Jan-2015 at 10:04:57 -0800, Freddie Cash wrote:
> On Wed, Jan 28, 2015 at 9:53 AM, Lev Serebryakov <lev at freebsd.org> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > On 28.01.2015 20:38, Matthew Seaman wrote:
> >
> > > What do you get if you run the reply size test at DNS-OARC ?
> > >
> > > https://www.dns-oarc.net/oarc/services/replysizetest
> >  0 lines (empty answer) at CURRENT, only "rst.x1013.rs.dns-oarc.net."
> > on 9.3.
> >
> >  Looks like "IP Fragments Filtered", but I don't understand — why and
> > where?!
> >
> >  I'm using ipfw on both hosts, but I don't have any special rules
> > about IP fragments at all! And as these systems are in completely
> > different networks, with different uplinks and FreeBSD versions!
> >
> 
> ​IPFW doesn't deal with IP fragment reassembly by default.
> 
> You can add something like the following to the start of the IPFW ruleset
> to work around it (one for each NIC):
> 
> ​$IPFW add reass ip from any to any in recv $NIC0
> ​$IPFW add reass ip from any to any in recv $NIC1

The ipfw man page says:

             Usually a simple rule like:

                   # reassemble incoming fragments
                   ipfw add reass all from any to any in

             is all you need at the beginning of your ruleset.

However, I could never make this work. It eats all fragments but
the resulting final packet never makes it. I am back to 

ipfw -q add 1 pass udp from any to $myip frag in recv $ifc

as I need it only for UDP. Frag reassembly in pf works well
on the other hand...

	-Andre


> ...
> 
> -- 
> Freddie Cash
> fjwcash at gmail.com
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

-- 
A fool with a tool is still a fool.