<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div><div>On Jun 22, 2011, at 10:35 AM, Erik Jan van Westen wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Op 22-6-2011 13:17, <a href="mailto:sthaug@nethelp.no">sthaug@nethelp.no</a> schreef:<br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">iptables in front of any server, especially a DNS server, is a self-DoS waiting to happen.<br></blockquote></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Not if you have working ip6tables at the same time.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">But before you deploy that, make sure your host based firewall<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">understands IPv6 fragments.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">OpenBSD pf still doesn't seem to support them:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><a href="http://answerpot.com/showthread.php?2665264-IPv6+day%2C+PF+and+IPv6+fragments">http://answerpot.com/showthread.php?2665264-IPv6+day%2C+PF+and+IPv6+fragments</a><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Not sure how IPtables deals with them.<br></blockquote></blockquote><blockquote type="cite">Samme problem with FreeBSD ipfw:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"> <<a href="http://www.freebsd.org/cgi/query-pr.cgi?pr=145733">http://www.freebsd.org/cgi/query-pr.cgi?pr=145733</a>><br></blockquote></div></blockquote><div><br></div><div>There was a thread on the BIND-USERS list a while back about setting up IPFW firewall rules for a DNS server. The subject was "<span class="Apple-style-span" style="font-size: 14px; "><b>Best ipfw Rules for DNS-SEC". </b></span>You might want to go back through the archives and read these. Mark Andrews had some suggestions about IPv6 settings. Don't know if this addresses packet fragments.<div><br><div></div></div></div>Bill Larson</div><br></div></body></html>