keep-state rules inadequately handles big UDP
??packets?or?fragmented IP packets?
Oliver Fromme
olli at lurza.secnetix.de
Fri Mar 20 16:47:23 PDT 2009
Dmitriy Demidov wrote:
> Oliver Fromme wrote:
> > I'm just curious ... Is it really worth the effort to add
> > fragment reassembly to IPFW? What advantage does it have?
> >
> > It would be much easier to simply pass all fragments with
> > offset > 1, and drop all fragments with offset 0 that are
> > smaller than a certain reasonable minimum length. What
> > would be the problem with this approach?
>
> Please wait... If I got it right (and dont missing something) then this rule:
> ipfw add allow ip from any to me frag
> have dissadvantage - I'm unabled to filter data by UDP/TCP ports. All IP
> packets is just passing through firewall to me. No UDP/TCP filtering here?
>From the ipfw(8) manual page:
frag Matches packets that are fragments and not the
first fragment of an IP datagram.
That rule does _not_ pass the first fragment of a fragmented
packet. So you can still filter by TCP and UDP ports.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"We will perhaps eventually be writing only small modules which are identi-
fied by name as they are used to build larger ones, so that devices like
indentation, rather than delimiters, might become feasible for expressing
local structure in the source language." -- Donald E. Knuth, 1974
More information about the freebsd-ipfw
mailing list