From owner-freebsd-net@FreeBSD.ORG Wed Jan 28 18:04:58 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5745A432; Wed, 28 Jan 2015 18:04:58 +0000 (UTC) Received: from mail-yh0-x22c.google.com (mail-yh0-x22c.google.com [IPv6:2607:f8b0:4002:c01::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1199A690; Wed, 28 Jan 2015 18:04:58 +0000 (UTC) Received: by mail-yh0-f44.google.com with SMTP id i57so9387751yha.3; Wed, 28 Jan 2015 10:04:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nXvSr9I+E2x5/OQGVo/fO9qJTHOXjR+RQhHtcqaGx28=; b=Uy9HXMc0MsyQO5fR9xMMNCb7qN7pPbhUB/L74M0muqZhXJhzMI5Y2IQ1bQQUsNeN2B ZJsDVrt5Vt/yYLjMZqCQ1kNl/SnKuVrScPMX0nsrykTXe0NezdOG9hPg8wnwZSxClmR7 Lu1a7jUFPTEHvR47ZqYk5f7dzXbeGfp8ZiYJQtRByeQ+j5Qf2WrnZiZpJ5PWI151r03X 1MSXu0UZXRCyGvLDSLyTcEE6eR+sfD/S7OstnldwT2BmLPe9OiFcJVIgDNvDOb16j1WJ dDMFluGHoJTrNz+PV7rJrqstzix4vFr18HgaeGzp2cuiWiicOdj5kXgksm90odiDKxod VqBA== MIME-Version: 1.0 X-Received: by 10.236.40.116 with SMTP id e80mr1755286yhb.186.1422468297121; Wed, 28 Jan 2015 10:04:57 -0800 (PST) Received: by 10.170.79.87 with HTTP; Wed, 28 Jan 2015 10:04:57 -0800 (PST) In-Reply-To: <54C92222.6000201@FreeBSD.org> References: <54C918D2.7090805@FreeBSD.org> <54C91E80.7020407@infracaninophile.co.uk> <54C92222.6000201@FreeBSD.org> Date: Wed, 28 Jan 2015 10:04:57 -0800 Message-ID: Subject: Re: Problems with IP fragments (was: Problems with DNSSEC -- answer in fragmented UDP doesn't work) From: Freddie Cash To: lev@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-net , Matthew Seaman X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2015 18:04:58 -0000 On Wed, Jan 28, 2015 at 9:53 AM, Lev Serebryakov wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 28.01.2015 20:38, Matthew Seaman wrote: > > > What do you get if you run the reply size test at DNS-OARC ? > > > > https://www.dns-oarc.net/oarc/services/replysizetest > 0 lines (empty answer) at CURRENT, only "rst.x1013.rs.dns-oarc.net." > on 9.3. > > Looks like "IP Fragments Filtered", but I don't understand =E2=80=94 why= and > where?! > > I'm using ipfw on both hosts, but I don't have any special rules > about IP fragments at all! And as these systems are in completely > different networks, with different uplinks and FreeBSD versions! > =E2=80=8BIPFW doesn't deal with IP fragment reassembly by default. You can add something like the following to the start of the IPFW ruleset to work around it (one for each NIC): =E2=80=8B$IPFW add reass ip from any to any in recv $NIC0 =E2=80=8B$IPFW add reass ip from any to any in recv $NIC1 ... --=20 Freddie Cash fjwcash@gmail.com