On Friday 23 July 2004 00:32, othermark wrote: > Max Laier wrote: > > On Thursday 22 July 2004 23:34, othermark wrote: > > Activation of pf with a > > scrub in on <interface> fragment reassemble > > rule works as workaround. > > Thanks for this suggestion, > > I have a 'scrub in all fragments reassemble' that I just added and loaded > to my /etc/pf.conf, which does not seem to solve the problem. Do I have to > specify a scrub for each interface in this case (maybe a better question > for the pf list)? Moved. It actually should. Can you please try to # pfctl -x misc and check the console? I might well have something wrong, need to cross check. > > In every case you have to decide if you want to > > invest the required memory to store fragments, which might make you > > easy/easier prey for DoS-attacks. Usually, for an average gateway the > > cost is worth the gain (= increased security). > > Most of the current systems today are able to handle both types of > sequences. It really is a small processing hit, FreeBSD already does > some bufferring with proper safeguards/maximums for various > traffic patterns. > > I would suspect some NFS/udp interoperability problems with the way it > handles fragments right now. > > -- > othermark > atkin901 at nospam dot yahoo dot com > (!wired)?(coffee++):(wired); > > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org" -- /"\ Best regards, | mlaier_at_freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier_at_EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:02 UTC