keep-state rules inadequately handles big UDP packets
or fragmented IP packets?
Paolo Pisati
p.pisati at oltrelinux.com
Tue Mar 17 08:12:42 PDT 2009
Alex Dupre wrote:
> Luigi Rizzo ha scritto:
>> it is not related to dynamic rules, but to the fact that
>> that the firewall is called before reassembling packets.
>> The info (port numbers especially) is not available
>> in the fragments so the firewall cannot do anything.
>> The only solution would be to call the firewall
>> after reassembly. I am not sure if there is any work in progress
>> for that.
>
> FWIW pf has "traffic normalization" feature ("scrub" keyword), that
> reassembles packets before inspection. Unfortunately, it works with
> IPv4 packets, but lacks IPv6 support.
>
FYI i have a patch for ipfw nat that reassemble a packet before nat[*],
but if the idea of an explicit packet reassembly action sounds good, i
could move the code over there.
[*] actually the patch is really simple, it's just a call to ip_reass()
with some glue code, but nonetheless it could be used more globally.
--
bye,
P.
More information about the freebsd-ipfw
mailing list