Date: Sat, 20 Feb 2021 15:02:11 -0800 From: Doug Hardie <bc979@lafn.org> To: "net@freebsd.org" <net@FreeBSD.org> Subject: Re: IPv6 Fragmentation Message-ID: <5F0CE151-3B44-4692-AE82-F292B99BAC29@sermon-archive.info> In-Reply-To: <DE246A9E-E931-4870-8EDB-AD5F9FBC7574@FreeBSD.org> References: <CB0FB5AB-5A37-4C40-A103-3E0D97CEA6B9@sermon-archive.info> <472A2B49-9BEC-4335-B6FB-AC4DAA0F0310@lurchi.franken.de> <A01F640F-E412-474C-A34C-19B7219BD84D@sermon-archive.info> <DE246A9E-E931-4870-8EDB-AD5F9FBC7574@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 20 February 2021, at 04:13, Kristof Provost <kp@FreeBSD.org> wrote: >=20 > If you don=E2=80=99t have scrub fragment reassemble set then you have = to include something like pass log inet6 proto ipv6-frag all to pass = fragmented packets (assuming you block by default). >=20 > You really, really want scrub fragment reassemble because otherwise = your firewall can be trivially bypassed, but you need one of the two for = fragmented packets to work. >=20 I went with reassembly as it was easy to configure. However, is there = some place where the trivial bypassing is addressed in detail? I would = like to understand that. -- Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5F0CE151-3B44-4692-AE82-F292B99BAC29>