When block fragmented packets do you just need to use the command
set firewall name INEDGE rule 1 action 'drop'
set firewall name INEDGE rule 1 description 'Transit ACL, BCP 38'
set firewall name INEDGE rule 1 destination address '172.16.0.0/22'
set firewall name INEDGE rule 1 fragment 'match-frag'
set firewall name INEDGE rule 1 source address '0.0.0.0/0'
or
and specify a protocol.
set firewall name INEDGE rule 1 action 'drop'
set firewall name INEDGE rule 1 description 'Transit ACL, BCP 38'
set firewall name INEDGE rule 1 destination address '172.16.0.0/22'
set firewall name INEDGE rule 1 fragment 'match-frag'
set firewall name INEDGE rule 1 source address '0.0.0.0/0'
set firewall name INEDGE rule 1 'tcp'
With Cisco you have to specify a protocol.
access-list 110 deny tcp any 172.16.0.0 0.0.3.255 fragments
access-list 110 deny udp any 172.16.0.0 0.0.3.255 fragments
access-list 110 deny icmp any 172.16.0.0 0.0.3.255 fragments
The original question is for blocking fragments entering our network from traffic sourced from our network per BCP 38. With Cisco we never had a problem and would stop a lot of miscreant traffic.
So, dropping packets that are fragmented and sourced from our network on the edge ingress interface will not harm any DNSSEC traffic. Do you have any experience with this?
All attempts I’ve made don’t show anything when running ‘sh firewall name INEDGE stats’