On Thursday 22 July 2004 23:34, othermark wrote: > Hi, > > This is one of those obscure, yet well known issues in FreeBSD, > some network stacks, like Linux, send the udp/icmp fragment > first (if multiple frags -- in reverse order), then the orginal > packet with the header. > > In -current, we still cannot process this simple fragged icmp-echo > request from a Linux host. For example, 'ping -c 1 -s 1500 <freebsd ip>'. > > FreeBSD discards the frag(s) and when it sees the initial packet with > header waits for the frags. > > So two questions: > > 1. is there a gnats pr? I tried various searches with no success. > 2. are there workarounds/patches? Activation of pf with a scrub in on <interface> fragment reassemble rule works as workaround. In every case you have to decide if you want to invest the required memory to store fragments, which might make you easy/easier prey for DoS-attacks. Usually, for an average gateway the cost is worth the gain (= increased security). -- /"\ Best regards, | mlaier_at_freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier_at_EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:02 UTC