From owner-freebsd-security@FreeBSD.ORG  Sat May  3 14:54:07 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 45DF4E74
 for <freebsd-security@freebsd.org>; Sat,  3 May 2014 14:54:07 +0000 (UTC)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id BA9A51480
 for <freebsd-security@freebsd.org>; Sat,  3 May 2014 14:54:06 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s43Ers5H012104;
 Sun, 4 May 2014 00:53:54 +1000 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Sun, 4 May 2014 00:53:54 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Garrett Wollman <wollman@bimajority.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:08.tcp
In-Reply-To: <21348.32212.390793.959943@hergotha.csail.mit.edu>
Message-ID: <20140504003835.J11699@sola.nimnet.asn.au>
References: <3867.1399059743@server1.tristatelogic.com>
 <5363FA70.9040100@delphij.net>
 <20140503133437.R11699@sola.nimnet.asn.au>
 <21348.32212.390793.959943@hergotha.csail.mit.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 03 May 2014 14:54:07 -0000

On Sat, 3 May 2014 01:25:40 -0400, Garrett Wollman wrote:
 > <<On Sat, 3 May 2014 13:53:44 +1000 (EST), Ian Smith <smithi@nimnet.asn.au> said:
 > 
 > > I've always allowed frags, as per the example rulesets in rc.firewall.  
 > > I only recall seeing them on DNS responses from zen.spamhaus.org, where 
 > > I see plenty of these after a resetlog before the logging limit kicks 
 > > in.  I doubt I'd be getting rid of ~90% of incoming spam without; eg:
 > 
 > Blocking inbound fragments will definitely screw you when you try to
 > use DNSsec.

Thanks to you and Darren; more grist for mending the Handbook ipfw page, 
likely why some people have been perhaps ill-advisedly dropping frags.

cheers, Ian