keep-state rules inadequately handles big UDP
?packets?or?fragmented IP packets?
Oliver Fromme
olli at lurza.secnetix.de
Wed Mar 18 03:34:10 PDT 2009
I'm just curious ... Is it really worth the effort to add
fragment reassembly to IPFW? What advantage does it have?
It would be much easier to simply pass all fragments with
offset > 1, and drop all fragments with offset 0 that are
smaller than a certain reasonable minimum length. What
would be the problem with this approach?
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"IRIX is about as stable as a one-legged drunk with hypothermia
in a four-hundred mile per hour wind, balancing on a banana
peel on a greased cookie sheet -- when someone throws him an
elephant with bad breath and a worse temper."
-- Ralf Hildebrandt
More information about the freebsd-ipfw
mailing list