Date: Wed, 28 Jan 2015 10:04:57 -0800 From: Freddie Cash <fjwcash@gmail.com> To: lev@freebsd.org Cc: freebsd-net <freebsd-net@freebsd.org>, Matthew Seaman <m.seaman@infracaninophile.co.uk> Subject: Re: Problems with IP fragments (was: Problems with DNSSEC -- answer in fragmented UDP doesn't work) Message-ID: <CAOjFWZ4KVyYe65ggiHxy3SSw7MPMgx-0kD5ccfXOM%2BftwncP1A@mail.gmail.com> In-Reply-To: <54C92222.6000201@FreeBSD.org> References: <54C918D2.7090805@FreeBSD.org> <54C91E80.7020407@infracaninophile.co.uk> <54C92222.6000201@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 28, 2015 at 9:53 AM, Lev Serebryakov <lev@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 28.01.2015 20:38, Matthew Seaman wrote: > > > What do you get if you run the reply size test at DNS-OARC ? > > > > https://www.dns-oarc.net/oarc/services/replysizetest > 0 lines (empty answer) at CURRENT, only "rst.x1013.rs.dns-oarc.net." > on 9.3. > > Looks like "IP Fragments Filtered", but I don't understand =E2=80=94 why= and > where?! > > I'm using ipfw on both hosts, but I don't have any special rules > about IP fragments at all! And as these systems are in completely > different networks, with different uplinks and FreeBSD versions! > =E2=80=8BIPFW doesn't deal with IP fragment reassembly by default. You can add something like the following to the start of the IPFW ruleset to work around it (one for each NIC): =E2=80=8B$IPFW add reass ip from any to any in recv $NIC0 =E2=80=8B$IPFW add reass ip from any to any in recv $NIC1 ... --=20 Freddie Cash fjwcash@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ4KVyYe65ggiHxy3SSw7MPMgx-0kD5ccfXOM%2BftwncP1A>