Blocking fragmented packets

system · March 20, 2015, 8:32am

Hello,

When block fragmented packets do you just need to use the command set firewall name INEDGE rule 1 action 'drop' set firewall name INEDGE rule 1 description 'Transit ACL, BCP 38' set firewall name INEDGE rule 1 destination address '172.16.0.0/22' set firewall name INEDGE rule 1 fragment 'match-frag' set firewall name INEDGE rule 1 source address '0.0.0.0/0'

or

and specify a protocol.

set firewall name INEDGE rule 1 action 'drop'
set firewall name INEDGE rule 1 description 'Transit ACL, BCP 38'
set firewall name INEDGE rule 1 destination address '172.16.0.0/22'
set firewall name INEDGE rule 1 fragment 'match-frag'
set firewall name INEDGE rule 1 source address '0.0.0.0/0'
set firewall name INEDGE rule 1 'tcp'

With Cisco you have to specify a protocol.

access-list 110 deny tcp any 172.16.0.0 0.0.3.255 fragments
access-list 110 deny udp any 172.16.0.0 0.0.3.255 fragments
access-list 110 deny icmp any 172.16.0.0 0.0.3.255 fragments

Any help is appreciated.

carl.byington · March 22, 2015, 7:05pm

Do you have any machines doing dnssec verification behind that network?

Typical dnssec udp packets are much larger than 1500 bytes, and are normally fragmented.

dig @a.gtld.biz US. SOA +norec +dnssec

That currently results in a 2153 byte response.

system · March 24, 2015, 11:31pm

The original question is for blocking fragments entering our network from traffic sourced from our network per BCP 38. With Cisco we never had a problem and would stop a lot of miscreant traffic.

So, dropping packets that are fragmented and sourced from our network on the edge ingress interface will not harm any DNSSEC traffic. Do you have any experience with this?

All attempts I’ve made don’t show anything when running ‘sh firewall name INEDGE stats’