Handling Fragments
Dan Lists
lists.dan at gmail.com
Thu Jan 7 00:16:03 UTC 2016
I have two primary questions regarding the handling of fragments (and some
follow-up questions). The first question is in reference to IPv4 fragments
and net.inet.ip.fw.one_pass, and the second question is about handling IPv6
fragments.
The rule 'ipfw add reass ip4 from any to any in' is supposed to handle all
IPv4 fragments. I am confused about the net.inet.ip.fw.one_pass variable.
The man page says:
"if net.inet.ip.fw.one_pass is set to
0, processing continues with the next rule. Otherwise, the
packet is allowed to pass and the search terminates."
Does this mean that if net.inet.ip.fw.one_pass is 1, which is the
default, that fragmented packets skip the remainder of my rules and
the packet is allowed through? Or is the filtering based on the first
packet in the fragment? I could not find any clear documentation on
this. Is there a performance penalty for setting
net.inet.ip.fw.one_pass to 0?
The reass rule does not work for IPv6, so what is the best way to
handle IPv6 fragments? I am seeing IPv6 fragments being blocked,
mostly DNS responses. I have seen some suggestions to allow all
fragments in. It seems like that would be a potential attack vector.
An attacker could fragment the packet and connect to an otherwise
blocked port.
Any feedback would be appreciated.
Thanks!
More information about the freebsd-ipfw
mailing list