From 8a9c5a82c07fbf89ce638d47707810792aed7548 Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@FreeBSD.org>
Date: Thu, 4 Nov 1999 10:13:59 +0000
Subject: [PATCH] Pass IP fragments with non-zero offset.  The semantics of
 matching IP fragments has been changed in src/sys/netinet/ip_fw.c,v 1.78.

Reminded by:	"Ronald F. Guilmette" <rfg@monkeys.com>
---
 etc/rc.firewall | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/etc/rc.firewall b/etc/rc.firewall
index 0dd5ae68554e..24e49436481b 100644
--- a/etc/rc.firewall
+++ b/etc/rc.firewall
@@ -121,6 +121,9 @@ case ${firewall_type} in
 	# Allow TCP through if setup succeeded
 	${fwcmd} add pass tcp from any to any established
 
+	# Allow IP fragments to pass through
+	${fwcmd} add pass all from any to any frag
+
 	# Allow setup of incoming email
 	${fwcmd} add pass tcp from any to ${ip} 25 setup
 
@@ -178,6 +181,9 @@ case ${firewall_type} in
 	# Allow TCP through if setup succeeded
 	${fwcmd} add pass tcp from any to any established
 
+	# Allow IP fragments to pass through
+	${fwcmd} add pass all from any to any frag
+
 	# Allow setup of incoming email
 	${fwcmd} add pass tcp from any to ${oip} 25 setup