keep-state rules inadequately handles big UDP packets
or fragmented IP packets?
Paolo Pisati
p.pisati at oltrelinux.com
Thu Apr 2 05:09:09 PDT 2009
Luigi Rizzo wrote:
> Can you put a description in the manpage especially on the
> assumptions and side effects of the reass option ?
>
> E.g. as i read it,
> + you need to make sure that the fragments are not dropped before
> the 'reass' (so you cannot rely on port numbers to decide
> accept or deny). This is obvious but a very common mistake;
> + reass silently queues the fragment if it does not reass, so it
> opens up a bit of vulnerability. Again obvious, but people
> won't realise if they don't see the code.
>
someone else already pointed out that i should mention
net.inet.ip.maxfrag*, i'll come up
with an updated man page later today.
--
bye,
P.
More information about the freebsd-ipfw
mailing list