Date: Sat, 14 Mar 2009 17:03:54 +0300 From: Sergey Matveychuk <sem@FreeBSD.org> To: Dmitriy Demidov <dima_bsd@inbox.lv> Cc: freebsd-ipfw@freebsd.org Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? Message-ID: <49BBB94A.7040208@FreeBSD.org> In-Reply-To: <200903132246.49159.dima_bsd@inbox.lv> References: <200903132246.49159.dima_bsd@inbox.lv>
next in thread | previous in thread | raw e-mail | index | archive | help
Dmitriy Demidov wrote: > Unbound starts working only then I put in ipfw this set of rules to handle all UDP packets outside from keep-state rules: > add allow udp from any to any What if you add: add allow ip from any to any frag instead the line above? > add check-state > add deny icmp from any to any frag I'm not sure the line above is correct. > add allow icmp from any to me icmptypes 0,3,11 > add allow icmp from me to any out keep-state > add allow tcp from me to any out keep-state > add allow udp from me to any out keep-state > add deny ip from any to any > > It looks like dynamicaly created rules some how inadequately handles big UDP packets (DNSSEC answers are big). > Is there any who can help to investigate this issue (looks like I can't do it myself)? > Can it be ipfw related issue? -- Dixi. Sem.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49BBB94A.7040208>