[dns-operations] PMTUD of .org servers
Florian Weimer
fw at deneb.enyo.de
Fri Feb 12 11:30:19 UTC 2010
* Mark Andrews:
> In message <87skhv6kmy.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
>> Yes, except that it sometimes doubles or triples the rule count
>> (there's the issue of small fragment offsets to worry about).
>
> I don't what crazy syntax your firewall uses but this is all that you
> really need.
>
> add pass ip from any to any frag
Yes, this works, but only for UDP. For TCP, you need more involved
rules because you usually want to filter on ports and flags, and you
have to make sure both are in the same segment (they cross an 8-byte
boundary in the packet, a small design blunder).
More information about the dns-operations
mailing list