keep-state rules inadequately handles big UDP
packets or fragmented IP packets?
Sergey Matveychuk
sem at FreeBSD.org
Sun Mar 15 04:12:00 PDT 2009
Sergey Matveychuk wrote:
> Luigi Rizzo wrote:
>> On Sun, Mar 15, 2009 at 12:38:37PM +0300, Sergey Matveychuk wrote:
>>> Dmitriy Demidov wrote:
>>>> Hi Luigi. Thank you for answer.
>>>> It is a big "surprise" for me that reassembling of IP datagrams is
>>>> done not *before* they go into firewall, but *after* :(
>>> But what's wrong with it? A fragment got from net, pass firewall and
>>> store. After all fragments we got, OS reassembly a packet and pass it
>>> through firewall again.
>>
>> Currently we don't have a way to re-invoke the firewall after
>> reassembly. In fact, we should probably provide hooks before and
>> after reassembly, and use them in a configurable way.
>
> It sounds like a security issue. We can construct any packet that pass
> through firewall?
>
Well, I see a first fragment will be checked. But anyway I think the
reassembled package must pass firewall again.
--
Dixi.
Sem.
More information about the freebsd-ipfw
mailing list