keep-state rules inadequately handles big UDP
?packets?or?fragmented IP packets?
Dmitriy Demidov
dima_bsd at inbox.lv
Thu Mar 19 12:29:07 PDT 2009
On Wednesday 18 March 2009, Oliver Fromme wrote:
> I'm just curious ... Is it really worth the effort to add
> fragment reassembly to IPFW? What advantage does it have?
>
> It would be much easier to simply pass all fragments with
> offset > 1, and drop all fragments with offset 0 that are
> smaller than a certain reasonable minimum length. What
> would be the problem with this approach?
>
> Best regards
> Oliver
Please wait... If I got it right (and dont missing something) then this rule:
ipfw add allow ip from any to me frag
have dissadvantage - I'm unabled to filter data by UDP/TCP ports. All IP
packets is just passing through firewall to me. No UDP/TCP filtering here?
More information about the freebsd-ipfw
mailing list