kern/51341 (fwd)
Maxim Konovalov
maxim at macomnet.ru
Fri Jul 4 04:10:21 PDT 2003
The following reply was made to PR kern/51341; it has been noted by GNATS.
From: Maxim Konovalov <maxim at macomnet.ru>
To: bug-followup at freebsd.org
Cc:
Subject: Re: kern/51341 (fwd)
Date: Fri, 4 Jul 2003 15:09:15 +0400 (MSD)
---------- Forwarded message ----------
Date: Fri, 4 Jul 2003 13:47:56 +0300
From: Andrey Lakhno <land at dnepr.net>
To: Maxim Konovalov <maxim at macomnet.ru>
Subject: Re: kern/51341
Hello,
On Thu, 03 Jul 2003, Maxim Konovalov wrote:
> Here is another workaround: add a following rule before any icmp deny
> rules:
>
> ipfw add pass icmp from any to any frag
>
> I would like to describe the problem in two words. Please consider a
> next rule:
>
> deny icmp from any to any icmptype 5
>
> Consider we get an icmp fragment. In fact, it does not consist
> information about its type and due to the discussed bug ipfw1 will
> terminate the search and drop it. ipfw2 behaviour is different: if we
> do not know about icmp type of the packet do not terminate the search
> and check the packet against next rule.
>
> At the moment I really do not want to fix this bug because it changes
> a filtering policy and may have a negative effect to countless
> installations.
>
> Please let me know if you are satisfied with my explanation and I can
> close the PR.
I think this bug should be decribed in ipfw(8) or fixed.
--
Andrey Lakhno,
land-ripe
More information about the freebsd-ipfw
mailing list