Two minor IPFW-related questions

Ronald F. Guilmette rfg at tristatelogic.com
Tue Jul 29 03:48:10 UTC 2008


In message <878wvlv30m.fsf at kobe.laptop>, 
Giorgos Keramidas <keramida at ceid.upatras.gr> wrote:

>On Mon, 28 Jul 2008 18:15:32 -0700, "Ronald F. Guilmette" <rfg at tristatelogic.c
>om> wrote:
>> Just a couple of questions about IPFW-related things:
>>
>> 1) Somewhere the other day I read a recommendation... which looked
>> rather official to me that the time... that all fragments should be
>> firwalled out, e.g. thusly:
>>
>>         deny any to any in frag
>>
>> Is that actually a Good Thing To Do?  Are there really no legitimate
>> packate fragments out there on the Internet?

First let me send a big THANK YOU to Giorgos Keramidas for providing such
timely and detailed replies to my IPFW questions.  Much appreciated.

Now that I've got that out of the way, let me say a couple of things.

First, on one particular machine of mine, I'm seeing a fair number...
many dozens or so per hour... of /var/log/security logfile entries for
ipfw-rejected packet fragments.  This is on a machine that has a very
busy name server.  The nameserver in question was recently upgraded
to bind 9.5.0-P1 (so I'm not worred that there is any kind of attack
going on here) _and_ also the ipfw ruleset recently had this added:

   deny any to any in frag

The majority of the rejected "frag" packets are UDP packets, and I've
just now determined that many/most/all of those are coming from actual
name servers elsewhere.  In short, I do believe that these packet fragments
are mostly (or entirely) perfectly legitimate packet fragments... probably
partial answers to DNS queries that the nameserver on this machine sent out.

So now, given that I understand (or believe I do, anyway) everything that
you, Giorgos, said about the possibility of a DoS attack based on packet
fragmentation, and given that I _do not_ believe that anybody has it in
mind to do a DoS against me at the present time (either using packet
fragements or any other sort of DoS technique) is it really wise for me
to be dropping all of these DNS response packet fragments?  Wouldn't I
be better off letting them in?

I'm most particularly concerned about the possibility that... because I
have ipfw dropping all fragments... I may be completely losing some
DNS responses that I actually do want, and for which there are no
other DNS servers that will give me unfragmented answers.  Is this a
reasonable concern?  Might it be wise, in my case, to remove the rule
that's killing all of the packet fragments from my ipfw rule set...
and then just put it back if I ever seem to be undergoing a DoS?


OK, one last question.  I've just read the helpful little brief tutorial
about path MTU discovery... which Google helped me to find:

  http://www.netheaven.com/pmtu.html

This is kinda sorta enlightening about why most of the fragments that my
ipfw is currently rejecting are either at offset 1472 or at offset 1480...
but not quite.  What's the significance of these specific offset numbers
(1472 and 1480)?  Is there some particular kind of hardware or well-known-
phenomenon (like the one described in the document above) that commonly
produces fragments with those specific offsets, i.e. 1472 and 1480?

Just curious.


More information about the freebsd-questions mailing list