Pass IP fragments with non-zero offset. The semantics of matching

IP fragments has been changed in src/sys/netinet/ip_fw.c,v 1.78. Reminded by: "Ronald F. Guilmette" <rfg@monkeys.com>
1999-11-04 10:13:59 +00:00 · 1999-11-04 10:13:59 +00:00 · 8a9c5a82c0
commit 8a9c5a82c0
parent 403030180d
1 changed files with 6 additions and 0 deletions
--- a/etc/rc.firewall
+++ b/etc/rc.firewall
@ -121,6 +121,9 @@ case ${firewall_type} in
 	# Allow TCP through if setup succeeded
 	${fwcmd} add pass tcp from any to any established

+	# Allow IP fragments to pass through
+	${fwcmd} add pass all from any to any frag
+
 	# Allow setup of incoming email
 	${fwcmd} add pass tcp from any to ${ip} 25 setup

@ -178,6 +181,9 @@ case ${firewall_type} in
 	# Allow TCP through if setup succeeded
 	${fwcmd} add pass tcp from any to any established

+	# Allow IP fragments to pass through
+	${fwcmd} add pass all from any to any frag
+
 	# Allow setup of incoming email
 	${fwcmd} add pass tcp from any to ${oip} 25 setup