On 5/2/2014 1:05 PM, Xin Li wrote: > Blocking inbound IP fragments is generally a good safety measure, but > keep in mind that doing so could break certain applications that do > require it (e.g. don't be surprised if some user behind several layers > of firewalls see blank pages from your website) and that needs to be > taken into consideration. They won't even get to the site in the first place. With EDNS, a very large DNS response over UDP is possible. On the wire, it's a single large UDP packet fragmented at the IP level. If you block fragments, you'll only get the first part of the UDP packet. Using a validating resolver pretty much guarantees you'll see such UDP packets regularly. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"