ipf and fragments
Mark Andrews
Mark_Andrews at isc.org
Thu Jun 2 04:01:18 GMT 2005
It looks like ipf in not handling fragmented UDP respones
correctly. Is there anything in particular that I need to
say to ipf to make it process the fragments? Unfragemented
responses make it through the firewall. It appears to be
independent of fragment order.
FreeBSD bsdi.dv.isc.org 4.11-STABLE FreeBSD 4.11-STABLE #22: Mon Jan 3 22:18:47 EST 2005 marka at bsdi.dv.isc.org:/usr/obj/usr/src/sys/BSDI i386
Mark
# ipfstat
IPv6 packets: in 113941974 out 85668683
input packets: blocked 17889 passed 148735618 nomatch 39228854 counted 0 short 0
output packets: blocked 880 passed 118396248 nomatch 13144559 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 17468 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 162370 lost 260
packet state(out): kept 97632 lost 880
ICMP replies: 17464 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 75931163 (out): 73331918
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 272 failed: 0
Fastroute successes: 17464 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none
13:44:50.908545 220.237.98.197.3484 > 65.201.175.17.53: 20803 [1au] Type65323? NLnetLabs.nl.dlv.verisignlabs.com. (62)
4500 005a a14b 0000 3f11 a9ba dced 62c5
41c9 af11 0d9c 0035 0046 024a 5143 0010
0001 0000 0000 0001 094e 4c6e 6574 4c61
6273 026e 6c03 646c 760c 7665 7269 7369
676e 6c61 6273 0363 6f6d 00ff 2b00 0100
0029 0800 0000 8000 0000
13:44:51.146830 65.201.175.17.53 > 220.237.98.197.3484: 20803*-% 2/2/7 Type65323, RRSIG (1472) (frag 1441:1480 at 0+)
4500 05dc 05a1 2000 2d11 31e3 41c9 af11
dced 62c5 0035 0d9c 0636 4b6f 5143 8410
0001 0002 0002 0007 094e 4c6e 6574 4c61
6273 026e 6c03 646c 760c 7665 7269 7369
676e 6c61 6273 0363 6f6d 00ff 2b00 01c0
0cff 2b00 0100 000e 1000 18ab 0f05 0181
ee88 356d f3c3 0775 4944 5ed2 fb1c 92ad
c806 41c0 0c00 2e00 0100 000e 1000 a8ff
2b05 0500 000e 1042 c506 1242 9d79 1216
2203 646c 760c 7665 7269 7369 676e 6c61
6273 0363 6f6d 001e 5875 50a4 bdde 8799
365d e8e9 b3a7 cd7d 713d 1789 1715 4ff2
587e 1f1a 0b94 f3bf 2fa5 622d 82de 25ce
d86f 486b 202a 22d6 35e2 29fc 715c dbe5
0245 c4d4 40e8 9a1e f9d5 9044 bb35 7b17
9ee9 6361 bc78 b9eb b338 f1b4 53ca 67fb
dec1 f435 1969 116a eb12 0376 a710 a3cc
8c1c 59a2 93fe 23fa 698f 84af 6139 4eb6
4cb9 6f68 c2f1 89c0 7500 0200 0100 0151
8000 0603 6e73 31c0 75c0 7500 2e00 0100
0151 8000 a800 0205 0300 0151 8042 c506
1242 9d79 1216 2203 646c 760c 7665 7269
7369 676e 6c61 6273 0363 6f6d 007c 98b9
dc0b cae5 cb91 c504 7a03 033b f927 342b
f8fd 1f1b 3778 cf05 d686 2c47 8134 692c
ae12 89e7 0d80 73ab 3eb9 ed8f 62eb edd8
d78a f8f6 c267 92b4 bd1e b08f 28f4 4643
93d8 a888 645e 02a2 634b 70b9 a558 81f0
c7e0 762a e74c cda8 ef5b 2622 3da3 9cde
6e35 69a4 5313 a52b 4fe5 84c1 c4b1 5bc3
0485 c348 7638 146e 1d4f 163d cec1 1700
0100 0100 0151 8000 0441 c9af 11c1 1700
2e00 0100 0151 8000 a800 0105 0400 0151
8042 c506 1242 9d79 1216 2203 646c 760c
7665 7269 7369 676e 6c61 6273 0363 6f6d
009b 4ab5 f9f3 16af 71ab 4fe2 dd5c bdf4
7883 87b9 109d ebd9 b7e6 2875 c0b4 5514
59cf 636a bbc4 7704 f2c1 52d7 5ece a2e4
8a3a 4065 d6b0 af99 91b2 9a16 6642 67e8
a599 1cd7 3f1b 281d 999b 0472 516a 81d3
5855 84d5 ad0c 381e 383a db85 7526 0d7b
86d3 4f3f 675c cddf b919 f682 51ed 758d
78da c7e9 9169 f7d8 bac1 6c93 97ec 32e4
f3c1 ff00 3000 0100 000e 1000 8601 0003
0501 03bd 92d7 1198 4fea 5d6a 5ad9 c517
f35c 8ff7 a0cd 30b4 190e 0bba 0e78 6654
2702 226f 862c e73e 69e8 25c5 67f2 8484
e57f c376 8fbc 78d4 e976 f9db f3d6 2d50
af75 3dbc 7b13 20e2 0570 e584 e78b 22f4
e409 1a8f 5c59 ffdb d257 442b 81e2 3870
4c60 84a5 0bc0 51a5 7c7e 46cc 930e e942
641b e7ce 0501 d4ec 051f 8f7f 8c57 40a7
3772 f9c1 ff00 3000 0100 000e 1001 0801
0103 0503 0100 01bc 361d 912b 03a3 e94d
255d 11b7 6f63 5235 972d e04c 5021 24f0
2c0b ba1a b48a ff3f 7843 ab3e ec52 30f2
e2b5 4740 f363 2af4 0cbf 6bf4 02a4 f2af
292b cb4d a5f5 61a6 6ca6 63b1 7c8a db5f
4088 01ef 482e 384e c8ac 9083 7c20 fdbc
2a43 3509 683e d74f 056c f246 55b6 7738
7d65 7916 a99c 20a2 d99e 6ad1 d85e 7201
5059 a83f 16ea 47a2 a37b b278 9e62 c51d
6f2f fd64 ef5d 2c37 5078 bf71 267d 4256
d88c 7317 c1e7 f8ee 289f d5f5 b17b 588b
1d2c a968 a2da a789 2e36 723b 3218 6c31
b1f6 711d 0de6 1ff1 8e75 fd4a 9c6b 3c10
d067 a714 b2b4 9938 ab48 183f 9024 3403
d31b 48f5 29d9 9ad9 ff6f 8bac 1900 8615
91c4 0f2a eb01 4d86 d472 516b 2179 ca1a
d3c7 1f70 a7cb 5bc1 ff00 2e00 0100 000e
1001 2800 3005 0300 000e 1042 c506 1242
9d79 1213 fd03 646c 760c 7665 7269 7369
676e 6c61 6273 0363 6f6d 0030 3507 d02a
02cf 82f8 955a 2ee0 d5e4 7e26 8d96 a350
a5cc 3342 f268 6cb5 ac7b bfa2 e24c 151b
b56b 9c01 737f 9714 1f29 8cb4 39a2 8b41
ee3c 349a 20ce 2c0f d786 6cdd 7d9b 862e
6b2b b77e 47c6 e712 ec3c 590f 54be 9895
4da2 c16a 8c62 f4bc 446c d6f9 db38 29c3
907f d065 59a4 c864 62a2 44e9 6631 8a19
f9e1 65e4 eaef eb8e 0921 cfce dbcf e03b
9414 5878 1cc0 81ef d677 a1e3 2b9f 091b
7663 07b1 c71d f4ec ac01 a4a6 5337 0e8e
d32b 804d cbcf e1f2 8158 03dc 26ad 91dd
8a1a 48ef 6bef b6d4 755b 8a80 4150 433f
0091 7975 af5b ec9b 6546 2471 6055 80cb
9917 303c 8569 bdbb a682 b13f 0fe7 0022
dec8 1b06 c8f5 7f6b 73c7 05a4 880b d3e6
6b84 3e87 51f7 13b9 02c2 9cc4 5900 2e00
0100 000e 1000 a800 3005 0300 000e 1042
c506 1242 9d79 1216 2203 646c 760c 7665
7269 7369 676e 6c61 6273 0363 6f6d 0090
a57c 2a85 5087 f829 4031 aa59 1211 2538
082e 6e21 d56e c0b9 d113 17d7
13:44:51.146887 65.201.175.17 > 220.237.98.197: udp (frag 1441:110 at 1480)
4500 0082 05a1 00b9 2d11 5684 41c9 af11
dced 62c5 d679 a96d 8e81 56e6 bddb d3a0
f32a 1ed9 6036 ed61 ee91 2577 060f 0239
ed0b 322a f7cc 4bca 088d 68b5 8aca 4910
7ed0 f810 d650 9d82 720f 938b 7a5d 3460
4a18 eb54 4860 92c3 72d3 e220 0b02 272d
8aa9 4e99 3cf4 c115 d9f6 e307 3443 d2f0
2001 768b 3f11 1900 0029 1000 0000 8000
0000
13:44:51.147093 220.237.98.197 > 65.201.175.17: icmp: net 192.168.191.236 unreachable
4500 0038 05a1 0000 4001 4497 dced 62c5
41c9 af11 0300 97b0 0000 0000 4500 0082
05a1 00b9 2d11 15a2 41c9 af11 c0a8 bfec
d679 a96d 8e81 56e6
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the freebsd-stable
mailing list