Problems with IP fragments
Lev Serebryakov
lev at FreeBSD.org
Wed Jan 28 18:08:39 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 28.01.2015 21:04, Freddie Cash wrote:
>> Looks like "IP Fragments Filtered", but I don't understand — why
>> and where?!
>>
>> I'm using ipfw on both hosts, but I don't have any special rules
>> about IP fragments at all! And as these systems are in
>> completely different networks, with different uplinks and FreeBSD
>> versions!
>>
>
> IPFW doesn't deal with IP fragment reassembly by default.
Oh, I see. And as second fragment is not "UDP" (it doesn't have UDP
header!), it doesn't pass through stateful firewall... I see now.
Thank you.
> You can add something like the following to the start of the IPFW
> ruleset to work around it (one for each NIC):
>
> $IPFW add reass ip from any to any in recv $NIC0 $IPFW add reass
> ip from any to any in recv $NIC1 ...
>
- --
// Lev Serebryakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQJ8BAEBCgBmBQJUySWbXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EeP/WUP/RJUv19sCqjt3/a/TNH/b6vs
8IcjQA3rD4i1NgUWn1w0Olro4SlzkbqDFzv/ShvNA5TSH6NbhJpaBkO9dno8nwDB
8K1GuTqYnDqAIexHw+br/dkcTLrah4h80tiucn0fSs12qOFaN5zJGchLDpxeEEg5
Okncf/0Ef20ooaUfRXwcD+C0gmaYkiWZ2+VcmbqsZvT3gvdAiEXpPJjqp3agUr/4
aTGriLZwo6OHTZdW7FQuKIV+4KO2piga+pF1lZKb78VOwgEYhw3yISuFzddIdaUd
T+Uj/qDjYgjqyxt+cSXIpnsY4jKQ6fR3EOoERgv5VXtRdunHC/6i9vygp6cga3rj
EZNAFlc+6ecmX9yPCdV5ScCvjh8lYZKuQivYNMauwI8o+Jud3dHJTCtl3zaVl18C
b2Y7+6gNY/oM78H1b63R79DVf+ohSmlLHW+hSqXfYcrqmT+ocCfOK13ybEoV93N1
nTMEDom83lvMhbDm9HHSBYbMyDKKPf6bX4VX2aZbjL+3u5VBclgKHMIS2U5VUBm/
h7fWIPys/XVs+eHNACkye0qh/7bHQ0GarMhJ27nHA+qrkbnmzqT1Ush7bQXyrgVJ
MfzU/JI/1u5Dw558innRMLP+3FnjjiITth/ZQCVzNXndVai4vpVXfzNdCRhNGQgV
kIJ0H5+AoXwiL5qLYR1x
=MY36
-----END PGP SIGNATURE-----
More information about the freebsd-net
mailing list