Re: dropping udp fragments with ipfw
- In reply to: Olivier_Cochard-Labbé : "Re: dropping udp fragments with ipfw"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 29 Aug 2024 19:53:36 UTC
On 8/29/2024 3:45 PM, Olivier Cochard-Labbé wrote: > > On Thu, Aug 29, 2024 at 8:52 PM mike tancsa <mike@sentex.net> wrote: > > But this would kill all UDP fragments. If the host has some other > UDP > application that needs to deal with fragmented packets, is there a > way > to get around that and only drop packets with a certain port in the > first fragment ? > > > When a packet is fragmented, only the IP header (not the UDP header > that includes the port number) is copied for all subsequent fragmented > packets. > To fix this behavior, you can instruct the firewall to reassemble the > packet before performing UDP/TCP port filtering. > Refer to the ipfw(4) man page on the "reass" keyword, which provides > the following example: > ipfw add reass all from any to any in > > I hope this helps! Thanks very much, it does! Under DDoS attack, how "expensive" would this be I noticed there are some default queue limits that probably would be exhausted fairly quickly. I might look instead for this use case to use the chelsio NIC rules (via cxgbetool) and just drop with something like this cxgbetool t5nex0 filter 10 sip 0.0.0.0/0 sport 53 dip 192.168.1.1/32 proto 17 action drop cxgbetool t5nex0 filter 11 sip 0.0.0.0/0 dip 192.168.1.1/32 proto 17 frag 1 action drop to protect the customer downstream and then get rid of rule 11 once the pps rate drops back to normal. ---Mike