Re: dropping udp fragments with ipfw

From: Ronald Klop <ronald-lists_at_klop.ws>
Date: Thu, 29 Aug 2024 19:59:12 UTC
Van: mike tancsa <mike@sentex.net>
Datum: donderdag, 29 augustus 2024 20:51
Aan: FreeBSD Net <freebsd-net@freebsd.org>
Onderwerp: dropping udp fragments with ipfw
> 
> I was working on some firewall rules to drop large UDP fragment attacks and noticed there is no easy way to drop fragments based on port ? e.g. if someone sends a UDP packet of 1400 bytes, I can drop it with
> 
> TARGET=192.168.1.1
> 
> ipfw add 5 deny log udp from any 53 to $TARGET
> 
> But if that packet is say 2000 bytes and is fragmented, the fragment passes through. I have to add a subsequent rule
> 
> ipfw add 10 deny log udp from any to $TARGET fragment
> 
> But this would kill all UDP fragments.  If the host has some other UDP application that needs to deal with fragmented packets, is there a way to get around that and only drop packets with a certain port in the first fragment ?
> 
>      ---Mike
> 
>  
> 
> 
> 


Fragmentation happens on IP level. As far as I know ipfw does not keep state of fragments.
You can use "reass" to let the firewall reassemble the fragmented IP packet and only forward it when it is complete. The manual page of ipfw describes this.
Another option I can think of, but which I didn't try is setting up dummynet rate limiting and directing the fragments through it.

Regards,
Ronald.