On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote: > On Tue, 7 Mar 2017 13:49:25 +0000, [email protected] wrote: > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867 > > > > Mark Felder <[email protected]> changed: > > > > What |Removed |Added > > > ---------------------------------------------------------------------------- > > CC| |[email protected] > > > > --- Comment #1 from Mark Felder <[email protected]> --- > > Needs some testers, but this should fix it > > > > https://reviews.freebsd.org/D9920 > > I've always used these rules from 'client' and 'simple' rulesets: > ${fwcmd} add pass all from any to any frag > which I long ago found essential to pass frags from zen.spamhaus.org > > I haven't used reass - nor DNSSEC - so can't really evaluate, nor test > currently, so I won't pollute the bug report with what may be musing. > > However, looking at the review patch, I do wonder if the reass shouldn't > precede, rather than follow, the check-state? >
My pre-coffee brain said "UDP isn't stateful; should be fine to put this after check-state". I didn't evaluate it further than that. -- Mark Felder ports-secteam & portmgr member [email protected] _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "[email protected]"
