Problems with IP fragments (was: Problems with DNSSEC -- answer in fragmented UDP doesn't work)
Freddie Cash
fjwcash at gmail.com
Wed Jan 28 18:04:58 UTC 2015
On Wed, Jan 28, 2015 at 9:53 AM, Lev Serebryakov <lev at freebsd.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 28.01.2015 20:38, Matthew Seaman wrote:
>
> > What do you get if you run the reply size test at DNS-OARC ?
> >
> > https://www.dns-oarc.net/oarc/services/replysizetest
> 0 lines (empty answer) at CURRENT, only "rst.x1013.rs.dns-oarc.net."
> on 9.3.
>
> Looks like "IP Fragments Filtered", but I don't understand — why and
> where?!
>
> I'm using ipfw on both hosts, but I don't have any special rules
> about IP fragments at all! And as these systems are in completely
> different networks, with different uplinks and FreeBSD versions!
>
IPFW doesn't deal with IP fragment reassembly by default.
You can add something like the following to the start of the IPFW ruleset
to work around it (one for each NIC):
$IPFW add reass ip from any to any in recv $NIC0
$IPFW add reass ip from any to any in recv $NIC1
...
--
Freddie Cash
fjwcash at gmail.com
More information about the freebsd-net
mailing list