Re: dropping udp fragments with ipfw

From: mike tancsa <mike_at_sentex.net>
Date: Thu, 29 Aug 2024 19:53:36 UTC
On 8/29/2024 3:45 PM, Olivier Cochard-Labbé wrote:
>
> On Thu, Aug 29, 2024 at 8:52 PM mike tancsa <mike@sentex.net> wrote:
>
>     But this would kill all UDP fragments.  If the host has some other
>     UDP
>     application that needs to deal with fragmented packets, is there a
>     way
>     to get around that and only drop packets with a certain port in the
>     first fragment ?
>
>
> When a packet is fragmented, only the IP header (not the UDP header 
> that includes the port number) is copied for all subsequent fragmented 
> packets.
> To fix this behavior, you can instruct the firewall to reassemble the 
> packet before performing UDP/TCP port filtering.
> Refer to the ipfw(4) man page on the "reass" keyword, which provides 
> the following example:
> ipfw add reass all from any to any in
>
> I hope this helps!


Thanks very much, it does!  Under DDoS attack, how "expensive" would 
this be I noticed there are some default queue limits that probably 
would be exhausted fairly quickly.  I might look instead for this use 
case to use the chelsio NIC rules (via cxgbetool) and just drop with 
something like this

cxgbetool t5nex0 filter 10  sip  0.0.0.0/0 sport 53 dip 192.168.1.1/32 
proto 17  action drop
cxgbetool t5nex0 filter 11 sip 0.0.0.0/0 dip 192.168.1.1/32 proto 17 
frag 1 action drop

to protect the customer downstream and then get rid of rule 11 once the 
pps rate drops back to normal.

     ---Mike