Date: Sat, 31 Jan 2015 06:11:11 +0000 From: David DeSimone <ddesimone@verio.net> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: RE: Problems with DNSSEC -- answer in fragmented UDP doesn't work Message-ID: <BLUPR0801MB67470004919E4094A226E30BA3E0@BLUPR0801MB674.namprd08.prod.outlook.com> In-Reply-To: <CAN6yY1v8apAdjNtfzXEG4Gx6tbCsEbZuRii48vOQJ2O%2BCeUNyQ@mail.gmail.com> References: <54C918D2.7090805@FreeBSD.org> <CAN6yY1v8apAdjNtfzXEG4Gx6tbCsEbZuRii48vOQJ2O%2BCeUNyQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kevin Oberman wrote: > > For ipfw you need something like "allow ip from any to me frag". If you > want to restrict this to DNS, restrict it to dst-port 53. Unfortunately, UDP fragments only contain the port number in the very first= fragment. So you will not be able to forward the later fragments based on= port number. You can only see the Src/Dest IP and Protocol number in the = fragment. -- David DeSimone =3D=3D fox@verio.net =3D=3D Network Admin "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has bee= n sent, and may contain information that is confidential or legally protect= ed. If you are not the intended recipient or have received this message in = error, you are not authorized to copy, distribute, or otherwise use this me= ssage or its attachments. Please notify the sender immediately by return e-= mail and permanently delete this message and any attachments. Verio Inc. ma= kes no warranty that this email is error or virus free. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BLUPR0801MB67470004919E4094A226E30BA3E0>