Martti Kuparinen wrote:
Hi again,
Is "keep frags" supposed to work with IPv6? I have these rules in out
firewall (NetBSD/amd64 4.0 with IPF 4.1.23):
block in from any to 2001:xxx:xxx:xxx::/64 head 6010
# SMTP
pass in quick proto tcp from any to 2001:xxx:xxx:xxx::146 port = 25 \
flags S keep state keep frags
group 6010
# DNS
pass in quick proto udp from any to 2001:xxx:xxx:xxx::146 port = 53 \
keep state keep frags
group 6010
# Block everything else
block in log quick all
group 6010
but I'm getting this in the logs
Sep 13 21:55:30 fw ipmon[406]: 21:55:29.798459 gif0 @6010:3 b
2001:yyy:yyy:yyy::13 -> 2001:xxx:xxx:xxx::146 PR ipv6-frag len 40 (270) IN
Have you got the "keep state/keep frag" patch applied?
Darren
