keep-state rules inadequately handles big UDP
packets or fragmented IP packets?
Sergey Matveychuk
sem at FreeBSD.org
Sun Mar 15 03:40:18 PDT 2009
Luigi Rizzo wrote:
> On Sun, Mar 15, 2009 at 12:38:37PM +0300, Sergey Matveychuk wrote:
>> Dmitriy Demidov wrote:
>>> Hi Luigi. Thank you for answer.
>>> It is a big "surprise" for me that reassembling of IP datagrams is done
>>> not *before* they go into firewall, but *after* :(
>> But what's wrong with it? A fragment got from net, pass firewall and
>> store. After all fragments we got, OS reassembly a packet and pass it
>> through firewall again.
>
> Currently we don't have a way to re-invoke the firewall after
> reassembly. In fact, we should probably provide hooks before and
> after reassembly, and use them in a configurable way.
It sounds like a security issue. We can construct any packet that pass
through firewall?
--
Dixi.
Sem.
More information about the freebsd-ipfw
mailing list