Luigi Rizzo wrote:
Can you put a description in the manpage especially on the
assumptions and side effects of the reass option ?
E.g. as i read it,
+ you need to make sure that the fragments are not dropped before
the 'reass' (so you cannot rely on port numbers to decide
accept or deny). This is obvious but a very common mistake;
+ reass silently queues the fragment if it does not reass, so it
opens up a bit of vulnerability. Again obvious, but people
won't realise if they don't see the code.
someone else already pointed out that i should mention
net.inet.ip.maxfrag*, i'll come up
with an updated man page later today.
--
bye,
P.
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
