This issue has been solved by using the 4.16 kernel (from debian-9
backports) and adding the following file (with contents):
cat /etc/modprobe.d/iptable_raw.conf
options iptable_raw raw_before_defrag=1
Further research into this bug, I have found this patch report for netfilter
https://patchwork.ozlabs.org/patch/863720/
Package: src:linux
Version: 4.9.82-1+deb9u3
Severity: important
Tags: upstream
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
0) Background. A caching resolver DNS server is vulnerable to cache poisioning
via IP fragmentation attacks. See
3 matches
Mail list logo
