FreeBSD Security Advisory FreeBSD-SA-14:08.tcp
Ian Smith
smithi at nimnet.asn.au
Sat May 3 14:54:07 UTC 2014
On Sat, 3 May 2014 01:25:40 -0400, Garrett Wollman wrote:
> <<On Sat, 3 May 2014 13:53:44 +1000 (EST), Ian Smith <smithi at nimnet.asn.au> said:
>
> > I've always allowed frags, as per the example rulesets in rc.firewall.
> > I only recall seeing them on DNS responses from zen.spamhaus.org, where
> > I see plenty of these after a resetlog before the logging limit kicks
> > in. I doubt I'd be getting rid of ~90% of incoming spam without; eg:
>
> Blocking inbound fragments will definitely screw you when you try to
> use DNSsec.
Thanks to you and Darren; more grist for mending the Handbook ipfw page,
likely why some people have been perhaps ill-advisedly dropping frags.
cheers, Ian
More information about the freebsd-security
mailing list